Windows 2000/2003 Single-Master Model
To prevent conflicting updates in Windows 2000/2003, the Active Directory performs updates to certain objects in a single-master fashion.
In a single-master model, only one DC in the entire directory is allowed to process updates. This is similar to the role given to a primary domain controller (PDC) in earlier versions of Windows (such as Microsoft Windows NT 4.0), in which the PDC is responsible for processing all updates in a given domain.
In a forest, there are five FSMO roles that are assigned to one or more domain controllers. The five FSMO roles are:
Schema Master:
The schema master domain controller controls all updates and modifications to the schema. Once the Schema update is complete, it is replicated from the schema master to all other DCs in the directory. To update the schema of a forest, you must have access to the schema master. There can be only one schema master in the whole forest.
Domain naming master:
The domain naming master domain controller controls the addition or removal of domains in the forest. This DC is the only one that can add or remove a domain from the directory. It can also add or remove cross references to domains in external directories. There can be only one domain naming master in the whole forest.
Infrastructure Master:
When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID (for references to security principals), and the DN of the object being referenced. The infrastructure FSMO role holder is the DC responsible for updating an object's SID and distinguished name in a cross-domain object reference. At any one time, there can be only one domain controller acting as the infrastructure master in each domain.
Note: The Infrastructure Master (IM) role should be held by a domain controller that is not a Global Catalog server (GC). If the Infrastructure Master runs on a Global Catalog server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a Global Catalog server holds a partial replica of every object in the forest. As a result, cross-domain object references in that domain will not be updated and a warning to that effect will be logged on that DC's event log. If all the domain controllers in a domain also host the global catalog, all the domain controllers have the current data, and it is not important which domain controller holds the infrastructure master role.
Relative ID (RID) Master:
The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain. When a DC creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is unique for each security principal SID created in a domain. Each DC in a domain is allocated a pool of RIDs that it is allowed to assign to the security principals it creates. When a DC's allocated RID pool falls below a threshold, that DC issues a request for additional RIDs to the domain's RID master. The domain RID master responds to the request by retrieving RIDs from the domain's unallocated RID pool and assigns them to the pool of the requesting DC. At any one time, there can be only one domain controller acting as the RID master in the domain.
PDC Emulator:
The PDC emulator is necessary to synchronize time in an enterprise. Windows 2000/2003 includes the W32Time (Windows Time) time service that is required by the Kerberos authentication protocol. All Windows 2000/2003-based computers within an enterprise use a common time. The purpose of the time service is to ensure that the Windows Time service uses a hierarchical relationship that controls authority and does not permit loops to ensure appropriate common time usage.
The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root of the forest becomes authoritative for the enterprise, and should be configured to gather the time from an external source. All PDC FSMO role holders follow the hierarchy of domains in the selection of their in-bound time partner.
In a Windows 2000/2003 domain, the PDC emulator role holder retains the following functions:
Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator.
Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user.
Account lockout is processed on the PDC emulator.
Editing or creation of Group Policy Objects (GPO) is always done from the GPO copy found in the PDC Emulator's SYSVOL share, unless configured not to do so by the administrator.
The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-based PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients.
This part of the PDC emulator role becomes unnecessary when all workstations, member servers, and domain controllers that are running Windows NT 4.0 or earlier are all upgraded to Windows 2000/2003. The PDC emulator still performs the other functions as described in a Windows 2000/2003 environment.
At any one time, there can be only one domain controller acting as the PDC emulator master in each domain in the forest.
Tuesday, April 28, 2009
FSMO ROLE
GLOSSARY - TECHNICAL REFERENCE
abstract type: A type used in this specification whose representation need not be standardized for interoperability because the type's use is internal to the specification. See concrete type.
access control entry (ACE): An entry in an access control list (ACL). An ACE contains a set of access rights and a security identifier (SID) that identifies the principal (including group principals) for whom the rights are allowed, denied, or audited.
access control list (ACL): A sequence of access control entries (ACEs) that describes the rules for authorizing access to some resource; for example, an object or set of objects.
Active Directory: Either Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS).
Active Directory Domain Services (AD DS): AD DS is an operating system directory service implemented by a domain controller (DC). The directory service provides a data store for objects that is distributed across multiple DCs. The DCs interoperate as peers to ensure that a local change to an object replicates correctly across DCs. AD DS first became available as part of Windows 2000 and is available as part of Windows 2000 Server and Windows Server 2003 products; in these products it is called "Active Directory". It is also available as part of Windows Server 2008 and Windows Server 7. AD DS is not present in Windows 3.1, Windows NT 3.51, Windows NT 4.0, or Windows XP. For more information, see [MS-SECO] section 2.5.2 and [MS-ADTS].
Active Directory Lightweight Directory Services (AD LDS): AD LDS is an operating system directory service implemented by a domain controller (DC). The most significant difference between AD LDS and AD DS is that AD LDS does not host domain NCs. A server can host multiple AD LDS DCs. (In Microsoft documentation, AD LDS is sometimes called "ADAM".)
application NC: A specific type of naming context (NC). An application NC does not contain security principal objects and does not appear in the GC. The root of an application NC is an object of class domainDNS. See domainDNS.
attribute: (Note: This definition is a specialization of the "attribute" concept that is described in section 1, Introduction.) An identifier for a single- or multivalued data element associated with an LDAP directory object. An object consists of its attributes and their values. For example, cn (common name), street (street address), and mail (e-mail addresses) can all be attributes of a user object. An attribute's schema, including the syntax of its values, is defined in an attributeSchema object.
attribute syntax: A specification of the format and range of permissible values of an attribute. The syntax of an attribute is defined by several attributes on the attributeSchema object. Attribute syntaxes supported by Active Directory include Boolean, Enumeration, Integer, LargeInteger, String(UTC-Time), String(Unicode), and Object(DS-DN).
attributeID: The attributeID attribute. An OID-valued identifying attribute of each attributeSchema object in the schema NC.
back link attribute: A computed attribute whose values include object references (for example, an attribute of syntax Object(DS-DN)). The values are derived from the values of a related attribute, a forward link attribute, on other objects. If f is the forward link attribute, one back link value exists on object o for each object r that contains a value of o for attribute f. The relationship between forward link attributes and back link attributes is expressed using the linkID attribute on the attributeSchema objects representing the two attributes. The forward link's linkID is an even number, and the back link's linkID is the forward link's linkID plus one. For more information, see [MS-ADTS] section 3.1.1.1.6.
binary OID: An object identifier (OID) in a Basic Encoding Rules (BER)–encoded binary format, as specified in [ITUX690] section 8.19.
built-in domain: The SID namespace that is defined by the fixed SID S-1-5-32. The built-in domain contains groups that define roles on a local computer, such as "Backup Operators".
built-in domain SID: The fixed SID S-1-5-32 of the built-in domain.
built-in principal: A security principal within the built-in domain whose SID is identical in every domain.
canonical name: A syntactic transformation of an Active Directory distinguished name (DN) into something resembling a path that still identifies an object within a forest. The DN "cn=Peter Houston, ou=NTDEV, dc=microsoft, dc=com" translates to the canonical name "microsoft.com/NTDEV/Peter Houston", while the DN "dc=microsoft, dc=com" translates to the canonical name "microsoft.com/". See domainDNS.
child object, children: See section 1, Introduction.
class: See object class.
computer object: An object of class computer. A computer object is a security principal object; the principal is the operating system running on the computer. The shared secret allows the operating system running on the computer to authenticate itself independently of any user running on the system. See security principal.
concrete type: A type used in this specification whose representation must be standardized for interoperability. Specific cases include types in the IDL definition of an RPC interface, types sent over RPC but whose representation is unknown to RPC, and types stored as byte strings in directory attributes.
configuration naming context (config NC): A specific type of NC that contains configuration information. A forest has a single config NC, which is shared among all DCs in the forest.
critical object: A subset of the objects in the default NC, identified by the attribute isCriticalSystemObject having the value TRUE. The objects that are marked in this way are essential for the operation of a DC hosting the NC.
crossRef object: An object of class crossRef. Each crossRef object is a child of the partitions container in the config NC. A crossRef describes the properties of an NC, such as its DNS name, operational settings, and so on.
default naming context (default NC): Part of the state of a DC. A DC's default NC is the NC of its default NC replica. A DC's default NC contains the DC's computer object.
default naming context replica (default NC replica): Part of the state of a DC. A DC's default NC replica is the full domain NC replica hosted by the DC.
deleted-object: An object that has been deleted, but that remains in storage until a configured amount of time (the deleted-object lifetime) has passed, after which the object is transformed into a recycled-object. Unlike a recycled-object or a tombstone, a deleted-object maintains virtually all the state of the object before deletion and may be undeleted without loss of information. Deleted-objects exist only when the Recycle Bin optional feature is enabled.
deleted-object lifetime: The time period that a deleted-object is kept in storage before it is transformed into a recycled-object.
directory object (or object): An Active Directory object, which is a specialization of the "object" concept that is described in section 1, Introduction. The identifying attribute is objectGUID, and the parent-identifying attribute (not exposed as an LDAP attribute) is parent. Active Directory objects are similar to LDAP entries, as defined in [RFC2251]; the differences are specified in [MS-ADTS] section 3.1.1.3.1.
distinguished name (DN): A human-readable name for an object; every object has a DN. Active Directory DNs are LDAP DNs [RFC2251], restricted as specified in [MS-ADTS] section 3.1.1.3.1.2.1. The DN of an object is the object's RDN followed by "," followed by the DN of its parent; for example: "cn=Peter Houston, ou=NTDEV, dc=microsoft, dc=com". See canonical name.
domain: A unit of security administration and delegation in a Microsoft Windows network. For more information, see [MS-SECO] section 2.5, and [MS-ADTS].
domain naming context (domain NC): A type of NC that represents a domain. A domain NC can contain security principal objects; no other type of NC can contain security principal objects. Domain NCs appear in the GC. A forest has one or more domain NCs. The root of a domain NC is an object of class domainDNS. See domainDNS.
domain security identifier (domain SID): The SID of the root object of a domain NC. The relative identifier (RID) portion of the domain SID is always zero. Every security principal object in a domain NC has an objectSid attribute equal to the domain SID except for the RID portion.
domainDNS: A specific object class. The root of a domain NC or an application NC is an object of class domainDNS. The DN of such an object takes the form
dc=n1,dc=n2, ... dc=nk
where each ni satisfies the syntactic requirements of a DNS name component. For more information, see [RFC1034]. Such a DN corresponds to the DNS name
n1.n2. ... .nk
This is the DNS name of the NC, and it allows replicas of the NC to be located by using DNS.
DSA GUID: The objectGUID of a DSA object.
DSA object: An object of class nTDSDSA, always located in the config NC. This object represents a DC in the forest.
DSName: A DSName is a tuple that contains between one and three identifiers for an object. The possible identifiers are the object's GUID (attribute objectGUID), SID (attribute objectSid), and DN (attribute distinguishedName). Given a DSName, an object can be identified within a set of NC replicas according to the matching rules defined in section 5.32.
dynamic object: An object with a "time-to-die" attribute, msDS-Entry-Time-To-Die. Active Directory "garbage-collects" a dynamic object immediately after the time-to-die of the object has passed. The constructed attribute entryTTL gives a dynamic object's current "time-to-live"; that is, the difference between the current time and msDS-Entry-Time-To-Die. See [RFC2589].
endpoint: A network-specific address of a server process for remote procedure calls. The actual name of the endpoint depends on the RPC protocol sequence being used. For example, for the NCACN_IP_TCP RPC protocol sequence, an endpoint might be TCP port 1025. For more information, see [C706].
entry: A term often used as a synonym for object, but not in this document.
extended canonical name: Same as a canonical name, except that the rightmost forward slash ('/') is replaced with a newline character.
flexible single master operation: See FSMO.
forest root domain NC: The domain NC within a forest that is the parent of the config NC. The DNS name of the forest root domain NC serves as the forest's name.
forward link attribute: A specific type of attribute. The values of a forward link attribute include object references (for example, syntax Object(DS-DN)). The forward link values can be used to compute the values of a related attribute, that is a back link attribute, on other objects. A forward link attribute can exist with no corresponding back link attribute, but not vice versa. See [MS-ADTS] section 3.1.1.1.6.
FSMO (flexible single master operation): A read or update operation on an NC, such that the operation must be performed on the single designated "master" replica of that NC. The master replica designation is "flexible" because it can be changed without losing the consistency gained from having a single master. This term (pronounced "fizmo") is never used alone; see FSMO role, FSMO role owner.
FSMO role: A set of objects that can be updated in only one NC replica at any given time. For more information, see [MS-ADTS] section 3.1.1.1.11. See FSMO role owner.
FSMO role abandon: A request to a DC D. The effect is for D to request the current owner of a specified FSMO role to transfer the role to D (see FSMO role transfer). Abandon is typically initiated by the current role owner in anticipation of being unable to host the role; for example, because the DC is being decommissioned. The server-to-server methods required to implement any aspect of a FSMO role, or to transfer a FSMO role from one DC to another DC, are not included in this document and are not required for interoperation with Windows client operating systems.
FSMO role object: The object in the domain or forest that represents a specific FSMO role. This object is a member of the FSMO role and contains the fSMORoleOwner attribute.
FSMO role transfer: A request to a DC D. If D is the current owner of the specified FSMO role, the effect is to transfer that role to the client; if D is not the current owner of the role, the effect is to update the client's role objects from D's replica, so that the client can try the request again on another DC. The server-to-server methods required to implement any aspect of a FSMO role, or to transfer a FSMO role from one DC to another DC, are not included in this document and are not required for interoperation with Windows client operating systems.
global group: An Active Directory group that allows user objects from its own domain and global groups from its own domain as members. Universal groups can contain global groups. A group object G is a global group if GROUP_TYPE_ACCOUNT_GROUP is present in G's groupType attribute. A global group contributes to the creation of security contexts if GROUP_TYPE_SECURITY_ENABLED is present in G's groupType attribute; in this case the group is valid for inclusion within access control lists (ACLs) anywhere in the forest.
globally unique identifier (GUID): A 128-bit value used in cross-process communication to identify entities such as client and server interfaces and RPC objects. For more information, see [C706]. A string representation of GUIDs, commonly called the "dashed-string" representation, is specified in [RFC4122] section 3.
governsID: The governsID attribute. An OID-valued identifying attribute of each classSchema object in the schema NC.
group: See group object.
group object: An object of class group, representing a set of objects. A group has a forward link attribute member; the values of this attribute either represent elements of the group (for example, objects of class user or computer) or represent subsets of the group (objects of class group). Representation of group subsets is called "nested group membership". The back link attribute memberOf enables navigation from group members to the groups containing them. Some groups represent groups of security principals and some do not (and are, for example, used to represent e-mail distribution lists).
group principal: A group representing a collection of security principals. A group principal can be used in an ACE to collectively grant or deny permissions to all the security principals in that group.
invocation ID: A unique identifier for a function that maps from update sequence numbers (USNs) to updates to the NC replicas of a DC.
Knowledge Consistency Checker (KCC): An internal Windows component of Active Directory replication used to create spanning trees for server-to-server replication and to translate those trees into settings of variables that implement the replication topology. The implementation details of this component are not included in this document and are not required for interoperation with Windows client operating systems.
lingering object: An object that still exists in an NC replica even though it has been deleted and "garbage-collected" from other replicas. These objects are a consequence of a characteristic of the server-to-server replication implementation. Lingering objects can occur in this implementation, for example, when a DC goes offline for longer than the tombstone lifetime. The specific details of the implementation that can create a lingering object are not included in this document and are not required for interoperation with Windows client operating systems.
mixed mode: A state of an Active Directory domain that supports DCs running Windows NT Server 4.0. Mixed mode does not allow organizations to take advantage of new Active Directory features such as universal groups, nested group membership, and interdomain group membership. See native mode.
naming context (NC): An NC is a DSName, containing at least a DN and a GUID, used in forming names for a tree of objects. The DN of the DSName is the distinguishedName attribute of the tree root. The GUID of the DSName is the objectGUID attribute of the tree root. The SID of the DSName, if present, is the objectSid attribute of the tree root; the SID is present if and only if the NC is a domain NC. Active Directory allows NCs to be organized into a tree structure.
native mode: A state of an Active Directory domain in which all current and future DCs run Windows 2000 Server or higher; no DCs run Windows NT Server 4.0. Native mode allows organizations to take advantage of new Active Directory features such as universal groups, nested group membership, and interdomain group membership. See mixed mode.
NC replica: A variable containing a tree of objects whose root object is identified by some NC.
nTDSDSA object: An object of class nTDSDSA. See DSA object.
object: See section 1, Introduction.
object class: See section 1, Introduction.
object class name: The lDAPDisplayName of the classSchema object of a class. This document consistently uses object class names to denote classes; for example, user and group are both object class names. The correspondence between LDAP display names and numeric OIDs in the Active Directory schema is specified in the following appendices of [MS-ADTS]: [MS-ADSC], [MS-ADA1], [MS-ADA2], and [MS-ADA3].
object identifier (OID): A sequence of numbers in a format defined in [RFC1778]. See attributeID, governsID.
object of class x (or x object): An object O such that one of the values of its objectClass attributes is x. For example, if O's objectClass contains the value user, O is an object of class user. This is often contracted to "user object".
object reference: An attribute value that identifies an object; reading an object reference gives the DN or full DSName of the object.
objectClass: The objectClass attribute. The attribute on an object that holds the object class name of each object class of the object.
objectGUID: The objectGUID attribute. The identifying attribute on an object, in the sense of the "object" concept that is described in section 1, Introduction. The value of an object's objectGUID is a GUID assigned when the object was created and is immutable thereafter. The integrity of object references between NCs and of replication depends on the integrity of the objectGUID attribute.
objectSid: The objectSid attribute. The attribute on an object whose value is a SID that identifies the object as a security principal object. The value of an object's objectSid is assigned when the security principal object was created and is immutable thereafter unless the object moves to another domain. The integrity of authentication depends on the integrity of the objectSid attribute.
optional feature: A non-default behavior that modifies the Active Directory state model. For more information, refer to [MS-ADTS] section 3.1.1.8.
oriented tree: A directed acyclic graph such that for every vertex v, except one (the root), there is a unique arc whose initial vertex is v. There is no arc whose initial vertex is the root. For more information, see [KNUTH1] section 2.3.4.2.
parent object: See section 1, Introduction.
partial NC replica: An NC replica that contains a schema-specified subset of attributes for the objects that it contains. A partial NC replica is not writable—it does not accept originating updates. See writable NC replica.
Partitions container: A child object of the config NC root. The RDN of the Partitions container is "cn=Partitions" and its class is crossRefContainer. See crossRef Object.
PDC emulator: A DC that is designated to track changes made to the accounts of all computers in a domain. The PDC emulator is the only computer to receive these changes directly and is specialized so as to ensure consistency and to eliminate the potential for conflicting entries in the Active Directory database. A domain has only one PDC emulator.
primary domain controller (PDC): See PDC emulator.
principal: See security principal.
read permission: Authorization to read an attribute of an object. For more information, see [MS-ADTS] section 5.1.3.
Recycle Bin: An optional feature that modifies the state model of object deletions and undeletions, making undeletion of deleted-objects possible without loss of the object's attribute values. For more information, refer to [MS-ADTS] section 3.1.1.8.1.
recycled-object: An object that has been deleted, but that remains in storage until a configured amount of time (the tombstone lifetime) has passed, after which the object is permanently removed from storage. Unlike a deleted-object, most of the state of the object has been removed, and the object may no longer be undeleted without loss of information. By keeping the recycled-object in existence for the tombstone lifetime, the deleted state of the object is able to replicate. Recycled-objects exist only when the Recycle Bin optional feature is enabled.
read-only domain controller (RODC or read-only DC): An AD DS DC that performs no originating updates.
relative distinguished name (RDN): The name of an object relative to its parent. This is the leftmost attribute-value pair in the DN of an object. For example, in the DN "cn=Peter Houston, ou=NTDEV, dc=microsoft, dc=com", the RDN is "cn=Peter Houston".
relative identifier (RID): The last item in the series of subauthority values in a SID (see [MS-DTYP] section 2.4.2). Differences in the RID are what distinguish the different SIDs generated within a domain.
replica: See section 1, Introduction.
replicated attribute: An attribute whose values are replicated. See replication.
replicated update: An update performed to an NC replica by the implemented replication system to propagate the effect of an originating update at another NC replica. The stamp assigned during the originating update to an attribute or a link value is preserved by replication. Neither this stamp nor any other specific aspects of a replicated update are required for interoperation with Windows client operating systems.
replication: The process of propagating the effects of all originating writes, to any replica of an NC, to all replicas of the NC. If originating writes cease and replication continues, all replicas converge to a common application-visible state. The description and details of the methods used for this server-to-server implementation are not included in this document and are not required for interoperation with Windows client operating systems.
RID allocation pool: The set of RIDs that a domain NC replica can assign to new objects having the objectSid attribute without obtaining more RIDs from the domain NC's RID available pool. See relative identifier (RID), objectSid.
RID available pool: The set of RIDs for a domain NC that have not been assigned to the RID allocation pool of any replica of the NC. The RID available pool is represented by the values of attributes within the domain NC's RID Master FSMO role.
root domain: See forest root domain NC.
RPC protocol sequence: A character string that represents a valid combination of an RPC protocol, a network layer protocol, and a transport layer protocol. For example, the protocol sequence NCACN_IP_TCP describes a Network Computing Architecture (NCA) connection over the Internet Protocol (IP) with a Transmission Control Protocol (TCP) as transport. For more information, see [C706] and [MS-RPCE] section 2.1.
schema naming context (schema NC): A specific type of NC that contains schema objects representing the schema. A forest has a single schema NC, which is replicated to each DC in the forest. Each attribute and class in the forest's schema is represented as a corresponding object in the forest's schema NC.
secret data: An implementation-specific set of attributes on objects of class user that contain security-sensitive information about the security principal.
security context: A data structure containing authorization information for a particular security principal in the form of a collection of SIDs. One SID identifies the principal specifically, whereas others may represent other capabilities. A server uses the authorization information in a security context to check access to requested resources.
security descriptor: A data structure containing the security information associated with a securable entity, such as an object. A security descriptor identifies an object's owner by SID. If access control is configured for the object, its security descriptor contains a discretionary access control list (DACL) with SIDs for the security principals who are allowed or denied access. The security descriptor format is specified in [MS-DTYP] section 2.4.6; a string representation of security descriptors, called SDDL, is specified in [MS-DTYP] section 2.5.1.
security identifier (SID): An identifier for a security principal object. The SID is composed of an account authority portion (typically corresponding to a domain) and an integer representing an identity relative to the account authority, termed the RID. The SID format is specified in [MS-DTYP] section 2.4.2; a string representation of a SID is specified in [MS-SECO] section 2.3. See relative identifier (RID).
security principal object: An object that corresponds to a security principal. A security principal object contains an identifier, used by the system and applications to name the principal, and a secret shared only by the principal. In Active Directory, a security principal object is identified by the objectSid attribute. In Active Directory, the domainDNS, user, computer, and group classes are examples of security principal object classes (though not every group object is a security principal object). See domainDNS, objectSid, computer object, group object, user object.
server object: A class of object in the config NC. A server object can have a DSA object as a child.
service account object: The security principal object that corresponds to the principal running a service. For a typical service (including some configurations of an AD LDS DC), this is a user object; for a service running as Local System or Network Service (including all AD DS DCs and the default configuration of an AD LDS DC), this is the computer object of the computer.
service principal name (SPN): The name a client uses to identify a service for mutual authentication. (For more information, see [RFC1964] section 2.1.1.) An SPN consists of either two parts or three parts, each separated by a forward slash ('/'). The first part is the service class name, the second part is the instance name, and the third part (if present) is the service name. For example, "ldap/dc-01.fabrikam.com/fabrikam.com" is a three-part SPN where "ldap" is the service class name, "dc-01.fabrikam.com" is the instance name, and "fabrikam.com" is the service name.
site: A collection of one or more well-connected (reliable and fast) TCP/IP subnets. By defining sites (represented by site objects), an administrator can optimize both Active Directory access and Active Directory replication with respect to the physical network. When a user logs in, an Active Directory client finds a DC that is in the same site as the client, or near the same site if there is no DC in the site. See Knowledge Consistency Checker (KCC), site object.
site object: An object of class site, representing a site.
site of a DC: The site object that is an ancestor of a DC's DSA object. See site object.
stamp: Information describing an originating update by a DC. The stamp is not the new data value; the stamp is information about the update that created the new data value. A stamp is often called metadata, because it is additional information that "talks about" the actual data values. Neither this stamp nor any other specific aspects of a replicated update are required for interoperation with Windows client operating systems.
STATUS code: A 32-bit quantity where zero represents success and nonzero represents failure. The specific failure codes used in this specification are documented in section 5, STATUS codes.
tombstone: An object that has been deleted, but remains in storage until a configured amount of time (the tombstone lifetime) has passed, after which the object is permanently removed from storage. By keeping the tombstone in existence for the tombstone lifetime, the deleted state of the object is able to replicate. Tombstones exist only when the Recycle Bin optional feature is not enabled.
tombstone lifetime: The amount of time that a tombstone or recycled-object is kept in storage before it is permanently deleted.
Unicode: An industry standard representation for text and symbols from the world's writing systems. UTF-16 is a 16-bit, variable-width encoding of Unicode; UTF-8 is an 8-bit, variable-width encoding.
universal group: An Active Directory group that allows user objects, global groups, and universal groups from anywhere in the forest as members. A group object G is a universal group if GROUP_TYPE_UNIVERSAL_GROUP is present in G's groupType attribute. A universal group contributes to the creation of security contexts if GROUP_TYPE_SECURITY_ENABLED is present in G's groupType attribute; in this case, the group is valid for inclusion within ACLs anywhere in the forest.
universally unique identifier (UUID): See GUID.
up-to-date vector: A structure in the Microsoft implementation of server-to-server replication that is a representation of an assertion about the presence of originating updates from different sources in an NC replica. This structure is used in the server-to-server replication implementation and is not required for interoperation with Windows client operating systems. See update sequence number (USN).
update: An add, modify, or delete of one or more objects or attribute values. See originating update, replicated update.
update sequence number (USN): A monotonically increasing sequence number used in assigning a stamp to an originating update. For more information, see [MS-ADTS] section 3.1.1.1.9. This structure is used in the server-to-server replication implementation, and is not required for interoperation with Windows client operating systems. See invocation ID.
user object: An object of class user. A user object is a security principal object; the principal is a person or service entity. The shared secret allows the person or service entity to authenticate itself.
well-known endpoint: A network-specific address that is known between client and server instances. See also Endpoint. For more information, see [C706].
Windows error code: A 32-bit quantity where zero represents success and nonzero represents failure. Specific failure codes are documented in [MS-ERREF].
writable NC replica: An NC replica that accepts originating updates. See full NC replica, partial NC replica.
access control entry (ACE): An entry in an access control list (ACL). An ACE contains a set of access rights and a security identifier (SID) that identifies the principal (including group principals) for whom the rights are allowed, denied, or audited.
access control list (ACL): A sequence of access control entries (ACEs) that describes the rules for authorizing access to some resource; for example, an object or set of objects.
Active Directory: Either Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS).
Active Directory Domain Services (AD DS): AD DS is an operating system directory service implemented by a domain controller (DC). The directory service provides a data store for objects that is distributed across multiple DCs. The DCs interoperate as peers to ensure that a local change to an object replicates correctly across DCs. AD DS first became available as part of Windows 2000 and is available as part of Windows 2000 Server and Windows Server 2003 products; in these products it is called "Active Directory". It is also available as part of Windows Server 2008 and Windows Server 7. AD DS is not present in Windows 3.1, Windows NT 3.51, Windows NT 4.0, or Windows XP. For more information, see [MS-SECO] section 2.5.2 and [MS-ADTS].
Active Directory Lightweight Directory Services (AD LDS): AD LDS is an operating system directory service implemented by a domain controller (DC). The most significant difference between AD LDS and AD DS is that AD LDS does not host domain NCs. A server can host multiple AD LDS DCs. (In Microsoft documentation, AD LDS is sometimes called "ADAM".)
application NC: A specific type of naming context (NC). An application NC does not contain security principal objects and does not appear in the GC. The root of an application NC is an object of class domainDNS. See domainDNS.
attribute: (Note: This definition is a specialization of the "attribute" concept that is described in section 1, Introduction.) An identifier for a single- or multivalued data element associated with an LDAP directory object. An object consists of its attributes and their values. For example, cn (common name), street (street address), and mail (e-mail addresses) can all be attributes of a user object. An attribute's schema, including the syntax of its values, is defined in an attributeSchema object.
attribute syntax: A specification of the format and range of permissible values of an attribute. The syntax of an attribute is defined by several attributes on the attributeSchema object. Attribute syntaxes supported by Active Directory include Boolean, Enumeration, Integer, LargeInteger, String(UTC-Time), String(Unicode), and Object(DS-DN).
attributeID: The attributeID attribute. An OID-valued identifying attribute of each attributeSchema object in the schema NC.
back link attribute: A computed attribute whose values include object references (for example, an attribute of syntax Object(DS-DN)). The values are derived from the values of a related attribute, a forward link attribute, on other objects. If f is the forward link attribute, one back link value exists on object o for each object r that contains a value of o for attribute f. The relationship between forward link attributes and back link attributes is expressed using the linkID attribute on the attributeSchema objects representing the two attributes. The forward link's linkID is an even number, and the back link's linkID is the forward link's linkID plus one. For more information, see [MS-ADTS] section 3.1.1.1.6.
binary OID: An object identifier (OID) in a Basic Encoding Rules (BER)–encoded binary format, as specified in [ITUX690] section 8.19.
built-in domain: The SID namespace that is defined by the fixed SID S-1-5-32. The built-in domain contains groups that define roles on a local computer, such as "Backup Operators".
built-in domain SID: The fixed SID S-1-5-32 of the built-in domain.
built-in principal: A security principal within the built-in domain whose SID is identical in every domain.
canonical name: A syntactic transformation of an Active Directory distinguished name (DN) into something resembling a path that still identifies an object within a forest. The DN "cn=Peter Houston, ou=NTDEV, dc=microsoft, dc=com" translates to the canonical name "microsoft.com/NTDEV/Peter Houston", while the DN "dc=microsoft, dc=com" translates to the canonical name "microsoft.com/". See domainDNS.
child object, children: See section 1, Introduction.
class: See object class.
computer object: An object of class computer. A computer object is a security principal object; the principal is the operating system running on the computer. The shared secret allows the operating system running on the computer to authenticate itself independently of any user running on the system. See security principal.
concrete type: A type used in this specification whose representation must be standardized for interoperability. Specific cases include types in the IDL definition of an RPC interface, types sent over RPC but whose representation is unknown to RPC, and types stored as byte strings in directory attributes.
configuration naming context (config NC): A specific type of NC that contains configuration information. A forest has a single config NC, which is shared among all DCs in the forest.
critical object: A subset of the objects in the default NC, identified by the attribute isCriticalSystemObject having the value TRUE. The objects that are marked in this way are essential for the operation of a DC hosting the NC.
crossRef object: An object of class crossRef. Each crossRef object is a child of the partitions container in the config NC. A crossRef describes the properties of an NC, such as its DNS name, operational settings, and so on.
default naming context (default NC): Part of the state of a DC. A DC's default NC is the NC of its default NC replica. A DC's default NC contains the DC's computer object.
default naming context replica (default NC replica): Part of the state of a DC. A DC's default NC replica is the full domain NC replica hosted by the DC.
deleted-object: An object that has been deleted, but that remains in storage until a configured amount of time (the deleted-object lifetime) has passed, after which the object is transformed into a recycled-object. Unlike a recycled-object or a tombstone, a deleted-object maintains virtually all the state of the object before deletion and may be undeleted without loss of information. Deleted-objects exist only when the Recycle Bin optional feature is enabled.
deleted-object lifetime: The time period that a deleted-object is kept in storage before it is transformed into a recycled-object.
directory object (or object): An Active Directory object, which is a specialization of the "object" concept that is described in section 1, Introduction. The identifying attribute is objectGUID, and the parent-identifying attribute (not exposed as an LDAP attribute) is parent. Active Directory objects are similar to LDAP entries, as defined in [RFC2251]; the differences are specified in [MS-ADTS] section 3.1.1.3.1.
distinguished name (DN): A human-readable name for an object; every object has a DN. Active Directory DNs are LDAP DNs [RFC2251], restricted as specified in [MS-ADTS] section 3.1.1.3.1.2.1. The DN of an object is the object's RDN followed by "," followed by the DN of its parent; for example: "cn=Peter Houston, ou=NTDEV, dc=microsoft, dc=com". See canonical name.
domain: A unit of security administration and delegation in a Microsoft Windows network. For more information, see [MS-SECO] section 2.5, and [MS-ADTS].
domain naming context (domain NC): A type of NC that represents a domain. A domain NC can contain security principal objects; no other type of NC can contain security principal objects. Domain NCs appear in the GC. A forest has one or more domain NCs. The root of a domain NC is an object of class domainDNS. See domainDNS.
domain security identifier (domain SID): The SID of the root object of a domain NC. The relative identifier (RID) portion of the domain SID is always zero. Every security principal object in a domain NC has an objectSid attribute equal to the domain SID except for the RID portion.
domainDNS: A specific object class. The root of a domain NC or an application NC is an object of class domainDNS. The DN of such an object takes the form
dc=n1,dc=n2, ... dc=nk
where each ni satisfies the syntactic requirements of a DNS name component. For more information, see [RFC1034]. Such a DN corresponds to the DNS name
n1.n2. ... .nk
This is the DNS name of the NC, and it allows replicas of the NC to be located by using DNS.
DSA GUID: The objectGUID of a DSA object.
DSA object: An object of class nTDSDSA, always located in the config NC. This object represents a DC in the forest.
DSName: A DSName is a tuple that contains between one and three identifiers for an object. The possible identifiers are the object's GUID (attribute objectGUID), SID (attribute objectSid), and DN (attribute distinguishedName). Given a DSName, an object can be identified within a set of NC replicas according to the matching rules defined in section 5.32.
dynamic object: An object with a "time-to-die" attribute, msDS-Entry-Time-To-Die. Active Directory "garbage-collects" a dynamic object immediately after the time-to-die of the object has passed. The constructed attribute entryTTL gives a dynamic object's current "time-to-live"; that is, the difference between the current time and msDS-Entry-Time-To-Die. See [RFC2589].
endpoint: A network-specific address of a server process for remote procedure calls. The actual name of the endpoint depends on the RPC protocol sequence being used. For example, for the NCACN_IP_TCP RPC protocol sequence, an endpoint might be TCP port 1025. For more information, see [C706].
entry: A term often used as a synonym for object, but not in this document.
extended canonical name: Same as a canonical name, except that the rightmost forward slash ('/') is replaced with a newline character.
flexible single master operation: See FSMO.
forest root domain NC: The domain NC within a forest that is the parent of the config NC. The DNS name of the forest root domain NC serves as the forest's name.
forward link attribute: A specific type of attribute. The values of a forward link attribute include object references (for example, syntax Object(DS-DN)). The forward link values can be used to compute the values of a related attribute, that is a back link attribute, on other objects. A forward link attribute can exist with no corresponding back link attribute, but not vice versa. See [MS-ADTS] section 3.1.1.1.6.
FSMO (flexible single master operation): A read or update operation on an NC, such that the operation must be performed on the single designated "master" replica of that NC. The master replica designation is "flexible" because it can be changed without losing the consistency gained from having a single master. This term (pronounced "fizmo") is never used alone; see FSMO role, FSMO role owner.
FSMO role: A set of objects that can be updated in only one NC replica at any given time. For more information, see [MS-ADTS] section 3.1.1.1.11. See FSMO role owner.
FSMO role abandon: A request to a DC D. The effect is for D to request the current owner of a specified FSMO role to transfer the role to D (see FSMO role transfer). Abandon is typically initiated by the current role owner in anticipation of being unable to host the role; for example, because the DC is being decommissioned. The server-to-server methods required to implement any aspect of a FSMO role, or to transfer a FSMO role from one DC to another DC, are not included in this document and are not required for interoperation with Windows client operating systems.
FSMO role object: The object in the domain or forest that represents a specific FSMO role. This object is a member of the FSMO role and contains the fSMORoleOwner attribute.
FSMO role transfer: A request to a DC D. If D is the current owner of the specified FSMO role, the effect is to transfer that role to the client; if D is not the current owner of the role, the effect is to update the client's role objects from D's replica, so that the client can try the request again on another DC. The server-to-server methods required to implement any aspect of a FSMO role, or to transfer a FSMO role from one DC to another DC, are not included in this document and are not required for interoperation with Windows client operating systems.
global group: An Active Directory group that allows user objects from its own domain and global groups from its own domain as members. Universal groups can contain global groups. A group object G is a global group if GROUP_TYPE_ACCOUNT_GROUP is present in G's groupType attribute. A global group contributes to the creation of security contexts if GROUP_TYPE_SECURITY_ENABLED is present in G's groupType attribute; in this case the group is valid for inclusion within access control lists (ACLs) anywhere in the forest.
globally unique identifier (GUID): A 128-bit value used in cross-process communication to identify entities such as client and server interfaces and RPC objects. For more information, see [C706]. A string representation of GUIDs, commonly called the "dashed-string" representation, is specified in [RFC4122] section 3.
governsID: The governsID attribute. An OID-valued identifying attribute of each classSchema object in the schema NC.
group: See group object.
group object: An object of class group, representing a set of objects. A group has a forward link attribute member; the values of this attribute either represent elements of the group (for example, objects of class user or computer) or represent subsets of the group (objects of class group). Representation of group subsets is called "nested group membership". The back link attribute memberOf enables navigation from group members to the groups containing them. Some groups represent groups of security principals and some do not (and are, for example, used to represent e-mail distribution lists).
group principal: A group representing a collection of security principals. A group principal can be used in an ACE to collectively grant or deny permissions to all the security principals in that group.
invocation ID: A unique identifier for a function that maps from update sequence numbers (USNs) to updates to the NC replicas of a DC.
Knowledge Consistency Checker (KCC): An internal Windows component of Active Directory replication used to create spanning trees for server-to-server replication and to translate those trees into settings of variables that implement the replication topology. The implementation details of this component are not included in this document and are not required for interoperation with Windows client operating systems.
lingering object: An object that still exists in an NC replica even though it has been deleted and "garbage-collected" from other replicas. These objects are a consequence of a characteristic of the server-to-server replication implementation. Lingering objects can occur in this implementation, for example, when a DC goes offline for longer than the tombstone lifetime. The specific details of the implementation that can create a lingering object are not included in this document and are not required for interoperation with Windows client operating systems.
mixed mode: A state of an Active Directory domain that supports DCs running Windows NT Server 4.0. Mixed mode does not allow organizations to take advantage of new Active Directory features such as universal groups, nested group membership, and interdomain group membership. See native mode.
naming context (NC): An NC is a DSName, containing at least a DN and a GUID, used in forming names for a tree of objects. The DN of the DSName is the distinguishedName attribute of the tree root. The GUID of the DSName is the objectGUID attribute of the tree root. The SID of the DSName, if present, is the objectSid attribute of the tree root; the SID is present if and only if the NC is a domain NC. Active Directory allows NCs to be organized into a tree structure.
native mode: A state of an Active Directory domain in which all current and future DCs run Windows 2000 Server or higher; no DCs run Windows NT Server 4.0. Native mode allows organizations to take advantage of new Active Directory features such as universal groups, nested group membership, and interdomain group membership. See mixed mode.
NC replica: A variable containing a tree of objects whose root object is identified by some NC.
nTDSDSA object: An object of class nTDSDSA. See DSA object.
object: See section 1, Introduction.
object class: See section 1, Introduction.
object class name: The lDAPDisplayName of the classSchema object of a class. This document consistently uses object class names to denote classes; for example, user and group are both object class names. The correspondence between LDAP display names and numeric OIDs in the Active Directory schema is specified in the following appendices of [MS-ADTS]: [MS-ADSC], [MS-ADA1], [MS-ADA2], and [MS-ADA3].
object identifier (OID): A sequence of numbers in a format defined in [RFC1778]. See attributeID, governsID.
object of class x (or x object): An object O such that one of the values of its objectClass attributes is x. For example, if O's objectClass contains the value user, O is an object of class user. This is often contracted to "user object".
object reference: An attribute value that identifies an object; reading an object reference gives the DN or full DSName of the object.
objectClass: The objectClass attribute. The attribute on an object that holds the object class name of each object class of the object.
objectGUID: The objectGUID attribute. The identifying attribute on an object, in the sense of the "object" concept that is described in section 1, Introduction. The value of an object's objectGUID is a GUID assigned when the object was created and is immutable thereafter. The integrity of object references between NCs and of replication depends on the integrity of the objectGUID attribute.
objectSid: The objectSid attribute. The attribute on an object whose value is a SID that identifies the object as a security principal object. The value of an object's objectSid is assigned when the security principal object was created and is immutable thereafter unless the object moves to another domain. The integrity of authentication depends on the integrity of the objectSid attribute.
optional feature: A non-default behavior that modifies the Active Directory state model. For more information, refer to [MS-ADTS] section 3.1.1.8.
oriented tree: A directed acyclic graph such that for every vertex v, except one (the root), there is a unique arc whose initial vertex is v. There is no arc whose initial vertex is the root. For more information, see [KNUTH1] section 2.3.4.2.
parent object: See section 1, Introduction.
partial NC replica: An NC replica that contains a schema-specified subset of attributes for the objects that it contains. A partial NC replica is not writable—it does not accept originating updates. See writable NC replica.
Partitions container: A child object of the config NC root. The RDN of the Partitions container is "cn=Partitions" and its class is crossRefContainer. See crossRef Object.
PDC emulator: A DC that is designated to track changes made to the accounts of all computers in a domain. The PDC emulator is the only computer to receive these changes directly and is specialized so as to ensure consistency and to eliminate the potential for conflicting entries in the Active Directory database. A domain has only one PDC emulator.
primary domain controller (PDC): See PDC emulator.
principal: See security principal.
read permission: Authorization to read an attribute of an object. For more information, see [MS-ADTS] section 5.1.3.
Recycle Bin: An optional feature that modifies the state model of object deletions and undeletions, making undeletion of deleted-objects possible without loss of the object's attribute values. For more information, refer to [MS-ADTS] section 3.1.1.8.1.
recycled-object: An object that has been deleted, but that remains in storage until a configured amount of time (the tombstone lifetime) has passed, after which the object is permanently removed from storage. Unlike a deleted-object, most of the state of the object has been removed, and the object may no longer be undeleted without loss of information. By keeping the recycled-object in existence for the tombstone lifetime, the deleted state of the object is able to replicate. Recycled-objects exist only when the Recycle Bin optional feature is enabled.
read-only domain controller (RODC or read-only DC): An AD DS DC that performs no originating updates.
relative distinguished name (RDN): The name of an object relative to its parent. This is the leftmost attribute-value pair in the DN of an object. For example, in the DN "cn=Peter Houston, ou=NTDEV, dc=microsoft, dc=com", the RDN is "cn=Peter Houston".
relative identifier (RID): The last item in the series of subauthority values in a SID (see [MS-DTYP] section 2.4.2). Differences in the RID are what distinguish the different SIDs generated within a domain.
replica: See section 1, Introduction.
replicated attribute: An attribute whose values are replicated. See replication.
replicated update: An update performed to an NC replica by the implemented replication system to propagate the effect of an originating update at another NC replica. The stamp assigned during the originating update to an attribute or a link value is preserved by replication. Neither this stamp nor any other specific aspects of a replicated update are required for interoperation with Windows client operating systems.
replication: The process of propagating the effects of all originating writes, to any replica of an NC, to all replicas of the NC. If originating writes cease and replication continues, all replicas converge to a common application-visible state. The description and details of the methods used for this server-to-server implementation are not included in this document and are not required for interoperation with Windows client operating systems.
RID allocation pool: The set of RIDs that a domain NC replica can assign to new objects having the objectSid attribute without obtaining more RIDs from the domain NC's RID available pool. See relative identifier (RID), objectSid.
RID available pool: The set of RIDs for a domain NC that have not been assigned to the RID allocation pool of any replica of the NC. The RID available pool is represented by the values of attributes within the domain NC's RID Master FSMO role.
root domain: See forest root domain NC.
RPC protocol sequence: A character string that represents a valid combination of an RPC protocol, a network layer protocol, and a transport layer protocol. For example, the protocol sequence NCACN_IP_TCP describes a Network Computing Architecture (NCA) connection over the Internet Protocol (IP) with a Transmission Control Protocol (TCP) as transport. For more information, see [C706] and [MS-RPCE] section 2.1.
schema naming context (schema NC): A specific type of NC that contains schema objects representing the schema. A forest has a single schema NC, which is replicated to each DC in the forest. Each attribute and class in the forest's schema is represented as a corresponding object in the forest's schema NC.
secret data: An implementation-specific set of attributes on objects of class user that contain security-sensitive information about the security principal.
security context: A data structure containing authorization information for a particular security principal in the form of a collection of SIDs. One SID identifies the principal specifically, whereas others may represent other capabilities. A server uses the authorization information in a security context to check access to requested resources.
security descriptor: A data structure containing the security information associated with a securable entity, such as an object. A security descriptor identifies an object's owner by SID. If access control is configured for the object, its security descriptor contains a discretionary access control list (DACL) with SIDs for the security principals who are allowed or denied access. The security descriptor format is specified in [MS-DTYP] section 2.4.6; a string representation of security descriptors, called SDDL, is specified in [MS-DTYP] section 2.5.1.
security identifier (SID): An identifier for a security principal object. The SID is composed of an account authority portion (typically corresponding to a domain) and an integer representing an identity relative to the account authority, termed the RID. The SID format is specified in [MS-DTYP] section 2.4.2; a string representation of a SID is specified in [MS-SECO] section 2.3. See relative identifier (RID).
security principal object: An object that corresponds to a security principal. A security principal object contains an identifier, used by the system and applications to name the principal, and a secret shared only by the principal. In Active Directory, a security principal object is identified by the objectSid attribute. In Active Directory, the domainDNS, user, computer, and group classes are examples of security principal object classes (though not every group object is a security principal object). See domainDNS, objectSid, computer object, group object, user object.
server object: A class of object in the config NC. A server object can have a DSA object as a child.
service account object: The security principal object that corresponds to the principal running a service. For a typical service (including some configurations of an AD LDS DC), this is a user object; for a service running as Local System or Network Service (including all AD DS DCs and the default configuration of an AD LDS DC), this is the computer object of the computer.
service principal name (SPN): The name a client uses to identify a service for mutual authentication. (For more information, see [RFC1964] section 2.1.1.) An SPN consists of either two parts or three parts, each separated by a forward slash ('/'). The first part is the service class name, the second part is the instance name, and the third part (if present) is the service name. For example, "ldap/dc-01.fabrikam.com/fabrikam.com" is a three-part SPN where "ldap" is the service class name, "dc-01.fabrikam.com" is the instance name, and "fabrikam.com" is the service name.
site: A collection of one or more well-connected (reliable and fast) TCP/IP subnets. By defining sites (represented by site objects), an administrator can optimize both Active Directory access and Active Directory replication with respect to the physical network. When a user logs in, an Active Directory client finds a DC that is in the same site as the client, or near the same site if there is no DC in the site. See Knowledge Consistency Checker (KCC), site object.
site object: An object of class site, representing a site.
site of a DC: The site object that is an ancestor of a DC's DSA object. See site object.
stamp: Information describing an originating update by a DC. The stamp is not the new data value; the stamp is information about the update that created the new data value. A stamp is often called metadata, because it is additional information that "talks about" the actual data values. Neither this stamp nor any other specific aspects of a replicated update are required for interoperation with Windows client operating systems.
STATUS code: A 32-bit quantity where zero represents success and nonzero represents failure. The specific failure codes used in this specification are documented in section 5, STATUS codes.
tombstone: An object that has been deleted, but remains in storage until a configured amount of time (the tombstone lifetime) has passed, after which the object is permanently removed from storage. By keeping the tombstone in existence for the tombstone lifetime, the deleted state of the object is able to replicate. Tombstones exist only when the Recycle Bin optional feature is not enabled.
tombstone lifetime: The amount of time that a tombstone or recycled-object is kept in storage before it is permanently deleted.
Unicode: An industry standard representation for text and symbols from the world's writing systems. UTF-16 is a 16-bit, variable-width encoding of Unicode; UTF-8 is an 8-bit, variable-width encoding.
universal group: An Active Directory group that allows user objects, global groups, and universal groups from anywhere in the forest as members. A group object G is a universal group if GROUP_TYPE_UNIVERSAL_GROUP is present in G's groupType attribute. A universal group contributes to the creation of security contexts if GROUP_TYPE_SECURITY_ENABLED is present in G's groupType attribute; in this case, the group is valid for inclusion within ACLs anywhere in the forest.
universally unique identifier (UUID): See GUID.
up-to-date vector: A structure in the Microsoft implementation of server-to-server replication that is a representation of an assertion about the presence of originating updates from different sources in an NC replica. This structure is used in the server-to-server replication implementation and is not required for interoperation with Windows client operating systems. See update sequence number (USN).
update: An add, modify, or delete of one or more objects or attribute values. See originating update, replicated update.
update sequence number (USN): A monotonically increasing sequence number used in assigning a stamp to an originating update. For more information, see [MS-ADTS] section 3.1.1.1.9. This structure is used in the server-to-server replication implementation, and is not required for interoperation with Windows client operating systems. See invocation ID.
user object: An object of class user. A user object is a security principal object; the principal is a person or service entity. The shared secret allows the person or service entity to authenticate itself.
well-known endpoint: A network-specific address that is known between client and server instances. See also Endpoint. For more information, see [C706].
Windows error code: A 32-bit quantity where zero represents success and nonzero represents failure. Specific failure codes are documented in [MS-ERREF].
writable NC replica: An NC replica that accepts originating updates. See full NC replica, partial NC replica.
Wednesday, April 22, 2009
EXCHANGE SERVER 2003 INTERVIEW QUESTIONS
Tell me a bit about the capabilities of Exchange Server.
What are the different Exchange 2003 versions?
What's the main differences between Exchange 5.5 and Exchange 2000/2003?
What are the major network infrastructure for installing Exchange 2003?
What is the latest Exchange 2003 Service Pack? Name a few changes in functionality in that SP.
What are the disk considerations when installing Exchange (RAID types, locations and so on).
You got a new HP DL380 (2U) server, dual Xeon, 4GB of RAM, 7 SAS disks, 64-bit. What do you do next to install Exchange 2003? (you have AD in place)
Why not install Exchange on the same machine as a DC?
Are there any other installation considerations?
How would you prepare the AD Schema in advance before installing Exchange?
What type or permissions do you need in order to install the first Exchange server in a forest? In a domain?
How would you verify that the schema was in fact updated?
What type of memory optimization changes could you do for Exchange 2003?
How would you check your Exchange configuration settings to see if they're right?
What are the Exchange management tools? How and where can you install them?
What types of permissions are configurable for Exchange?
How can you grant access for an administrator to access all mailboxes on a specific server?
What is the Send As permission?
What other management tools are used to manage and control Exchange 2003? Name the tools you'd use.
What are Exchange Recipient types? Name 5.
You created a mailbox for a user, yet the mailbox does not appear in ESM. Why?
You wanted to change mailbox access permissions for a mailbox, yet you see the SELF permission alone on the permissions list. Why?
What are Query Based Distribution groups?
What type of groups would you use when configuring distribution groups in a multiple domain forest?
Name a few configuration options for Exchange recipients.
What's the difference between Exchange 2003 Std. and Ent. editions when related to storage options and size?
Name a few configuration options related to mailbox stores.
What are System Public Folders? Where would you find them?
How would you plan and configure Public Folder redundancy?
How can you immediately stop PF replication?
How can you prevent PF referral across slow WAN links?
What types of PF management tools might you use?
What are the differences between administrative permissions and client permissions in PF?
How can you configure PF replication from the command prompt in Exchange 2003?
What are the message hygiene options you can use natively in Exchange 2003?
What are the configuration options in IMF?
What are virtual servers? When would you use more than one?
Name some of the SMTP Virtual Server configuration options.
What is a Mail Relay? Name a few known mail relay software or hardware options.
What is a Smart Host? Where would you configure it?
What are Routing Groups? When would you use them?
What are the types of Connectors you can use in Exchange?
What is the cost option in Exchange connectors?
What is the Link State Table? How would you view it?
How would you configure mail transfer security between 2 routing groups?
What is the Routing Group Master? Who holds that role?
Explain the configuration steps required to allow Exchange 2003 to send and receive email from the Internet (consider a one-site multiple server scenario).
What is DS2MB?
What is Forms Based Authentication?
How would you configure OWA's settings on an Exchange server?
What is DSACCESS?
What are Recipient Policies?
How would you work with multiple recipient policies?
What is the "issue" with trying to remove email addresses added by recipient policies? How would you fix that?
What is the RUS?
When would you need to manually create additional RUS?
What are Address Lists?
How would you modify the filter properties of one of the default address lists?
How can you create multiple GALs and allow the users to only see the one related to them?
What is a Front End server? In what scenarios would you use one?
What type of authentication is used on the front end servers?
When would you use NLB?
How would you achieve incoming mail redundancy?
What are the 4 types of Exchange backups?
What is the Dial-Tone server scenario?
When would you use offline backup?
How do you re-install Exchange on a server that has crashed but with AD intact?
What is the dumpster?
What are the e00xxxxx.log files?
What is the e00.chk file?
What is circular logging? When would you use it?
What's the difference between online and offline defrag?
How would you know if it is time to perform an offline defrag of your Exchange stores?
How would you plan for, and perform the offline defrag?
What is the eseutil command?
What is the isinteg command?
How would you monitor Exchange's services and performance? Name 2 or 3 options.
Name all the client connection options in Exchange 2003.
What is Direct Push? What are the requirements to run it?
How would you remote wipe a PPC?
What are the issues with connecting Outlook from a remote computer to your mailbox?
How would you solve those issues? Name 2 or 3 methods
What is RPC over HTTP? What are the requirements to run it?
What is Cached Mode in OL2003/2007?
What are the benefits and "issues" when using cached mode? How would you tackle those issues?
What is S/MIME? What are the usage scenarios for S/MIME?
What are the IPSec usage scenarios for Exchange 2003?
How do you enable SSL on OWA?
What are the considerations for obtaining a digital certificate for SSL on Exchange?
Name a few 3rd-party CAs.
What do you need to consider when using a client-type AV software on an Exchange server?
What are the different clustering options in Exchange 2003? Which one would you choose and why.
ACTIVE DIRECTORY INTERVIEW QUESTIONS
What is Active Directory?
What is LDAP?
Can you connect Active Directory to other 3rd-party Directory Services? Name a few options.
Where is the AD database held? What other folders are related to AD?
What is the SYSVOL folder?
Name the AD NCs and replication issues for each NC
What are application partitions? When do I use them
How do you create a new application partition
How do you view replication properties for AD partitions and DCs?
What is the Global Catalog?
How do you view all the GCs in the forest?
Why not make all DCs in a large forest as GCs?
Trying to look at the Schema, how can I do that?
What are the Support Tools? Why do I need them?
What is LDP? What is REPLMON? What is ADSIEDIT? What is NETDOM? What is REPADMIN?
What are sites? What are they used for?
What's the difference between a site link's schedule and interval?
What is the KCC?
What is the ISTG? Who has that role by default?
What are the requirements for installing AD on a new server?
What can you do to promote a server to DC if you're in a remote location with slow WAN link?
How can you forcibly remove AD from a server, and what do you do later? • Can I get user passwords from the AD database?
What tool would I use to try to grab security related packets from the wire?
Name some OU design considerations.
What is tombstone lifetime attribute?
What do you do to install a new Windows 2003 DC in a Windows 2000 AD?
What do you do to install a new Windows 2003 R2 DC in a Windows 2003 AD?
How would you find all users that have not logged on since last month?
What are the DS* commands?
What's the difference between LDIFDE and CSVDE? Usage considerations?
What are the FSMO roles? Who has them by default? What happens when each one fails?
What FSMO placement considerations do you know of?
I want to look at the RID allocation table for a DC. What do I do?
What's the difference between transferring a FSMO role and seizing one? Which one should you NOT seize? Why?
How do you configure a "stand-by operation master" for any of the roles?
How do you backup AD?
How do you restore AD?
How do you change the DS Restore admin password?
Why can't you restore a DC that was backed up 4 months ago?
What are GPOs?
What is the order in which GPOs are applied?
Name a few benefits of using GPMC.
What are the GPC and the GPT? Where can I find them?
What are GPO links? What special things can I do to them?
What can I do to prevent inheritance from above?
How can I override blocking of inheritance?
How can you determine what GPO was and was not applied for a user? Name a few ways to do that.
A user claims he did not receive a GPO, yet his user and computer accounts are in the right OU, and everyone else there gets the GPO. What will you look for?
Name a few differences in Vista GPOs
Name some GPO settings in the computer and user parts.
What are administrative templates?
What's the difference between software publishing and assigning?
Can I deploy non-MSI software with GPO?
You want to standardize the desktop environments (wallpaper, My Documents, Start menu, printers etc.) on the computers in one department. How would you do that?
NETWORKING INTERVIEW QUESTIONS
What is an IP address?
What is a subnet mask?
What is ARP?
What is ARP Cache Poisoning?
What is the ANDing process?
What is a default gateway? What happens if I don't have one?
Can a workstation computer be configured to browse the Internet and yet NOT have a default gateway?
What is a subnet?
What is APIPA?
What is an RFC? Name a few if possible (not necessarily the numbers, just the ideas behind them)
What is RFC 1918?
What is CIDR?
You have the following Network ID: 192.115.103.64/27. What is the IP range for your network?
You have the following Network ID: 131.112.0.0. You need at least 500 hosts per network. How many networks can you create? What subnet mask will you use?
You need to view at network traffic. What will you use? Name a few tools
How do I know the path that a packet takes to the destination?
What does the ping 192.168.0.1 -l 1000 -n 100 command do?
What is DHCP? What are the benefits and drawbacks of using it?
Describe the steps taken by the client and DHCP server in order to obtain an IP address.
What is the DHCPNACK and when do I get one? Name 2 scenarios.
What ports are used by DHCP and the DHCP clients?
Describe the process of installing a DHCP server in an AD infrastructure.
What is DHCPINFORM?
Describe the integration between DHCP and DNS.
What options in DHCP do you regularly use for an MS network?
What are User Classes and Vendor Classes in DHCP?
How do I configure a client machine to use a specific User Class?
What is the BOOTP protocol used for, where might you find it in Windows network infrastructure?
DNS zones – describe the differences between the 4 types.
DNS record types – describe the most important ones.
Describe the process of working with an external domain name
Describe the importance of DNS to AD.
Describe a few methods of finding an MX record for a remote domain on the Internet.
What does "Disable Recursion" in DNS mean?
What could cause the Forwarders and Root Hints to be grayed out?
What is a "Single Label domain name" and what sort of issues can it cause?
What is the "in-addr.arpa" zone used for?
What are the requirements from DNS to support AD?
How do you manually create SRV records in DNS?
Name 3 benefits of using AD-integrated zones.
What are the benefits of using Windows 2003 DNS when using AD-integrated zones?
You installed a new AD domain and the new (and first) DC has not registered its SRV records in DNS. Name a few possible causes.
What are the benefits and scenarios of using Stub zones?
What are the benefits and scenarios of using Conditional Forwarding?
What are the differences between Windows Clustering, Network Load Balancing and Round Robin, and scenarios for each use?
How do I work with the Host name cache on a client computer?
How do I clear the DNS cache on the DNS server?
What is the 224.0.1.24 address used for?
What is WINS and when do we use it?
Can you have a Microsoft-based network without any WINS server on it? What are the "considerations" regarding not using WINS?
Describe the differences between WINS push and pull replications.
What is the difference between tombstoning a WINS record and simply deleting it?
Name the NetBIOS names you might expect from a Windows 2003 DC that is registered in WINS.
Describe the role of the routing table on a host and on a router.
What are routing protocols? Why do we need them? Name a few.
What are router interfaces? What types can they be?
In Windows 2003 routing, what are the interface filters?
What is NAT?
What is the real difference between NAT and PAT?
How do you configure NAT on Windows 2003?
How do you allow inbound traffic for specific hosts on Windows 2003 NAT?
What is VPN? What types of VPN does Windows 2000 and beyond work with natively?
What is IAS? In what scenarios do we use it?
What's the difference between Mixed mode and Native mode in AD when dealing with RRAS?
What is the "RAS and IAS" group in AD?
What are Conditions and Profile in RRAS Policies?
What types or authentication can a Windows 2003 based RRAS work with?
How does SSL work?
How does IPSec work?
How do I deploy IPSec for a large number of computers?
What types of authentication can IPSec use?
What is PFS (Perfect Forward Secrecy) in IPSec?
How do I monitor IPSec?
Looking at IPSec-encrypted traffic with a sniffer. What packet types do I see?
What can you do with NETSH?
How do I look at the open ports on my machine?
What is a subnet mask?
What is ARP?
What is ARP Cache Poisoning?
What is the ANDing process?
What is a default gateway? What happens if I don't have one?
Can a workstation computer be configured to browse the Internet and yet NOT have a default gateway?
What is a subnet?
What is APIPA?
What is an RFC? Name a few if possible (not necessarily the numbers, just the ideas behind them)
What is RFC 1918?
What is CIDR?
You have the following Network ID: 192.115.103.64/27. What is the IP range for your network?
You have the following Network ID: 131.112.0.0. You need at least 500 hosts per network. How many networks can you create? What subnet mask will you use?
You need to view at network traffic. What will you use? Name a few tools
How do I know the path that a packet takes to the destination?
What does the ping 192.168.0.1 -l 1000 -n 100 command do?
What is DHCP? What are the benefits and drawbacks of using it?
Describe the steps taken by the client and DHCP server in order to obtain an IP address.
What is the DHCPNACK and when do I get one? Name 2 scenarios.
What ports are used by DHCP and the DHCP clients?
Describe the process of installing a DHCP server in an AD infrastructure.
What is DHCPINFORM?
Describe the integration between DHCP and DNS.
What options in DHCP do you regularly use for an MS network?
What are User Classes and Vendor Classes in DHCP?
How do I configure a client machine to use a specific User Class?
What is the BOOTP protocol used for, where might you find it in Windows network infrastructure?
DNS zones – describe the differences between the 4 types.
DNS record types – describe the most important ones.
Describe the process of working with an external domain name
Describe the importance of DNS to AD.
Describe a few methods of finding an MX record for a remote domain on the Internet.
What does "Disable Recursion" in DNS mean?
What could cause the Forwarders and Root Hints to be grayed out?
What is a "Single Label domain name" and what sort of issues can it cause?
What is the "in-addr.arpa" zone used for?
What are the requirements from DNS to support AD?
How do you manually create SRV records in DNS?
Name 3 benefits of using AD-integrated zones.
What are the benefits of using Windows 2003 DNS when using AD-integrated zones?
You installed a new AD domain and the new (and first) DC has not registered its SRV records in DNS. Name a few possible causes.
What are the benefits and scenarios of using Stub zones?
What are the benefits and scenarios of using Conditional Forwarding?
What are the differences between Windows Clustering, Network Load Balancing and Round Robin, and scenarios for each use?
How do I work with the Host name cache on a client computer?
How do I clear the DNS cache on the DNS server?
What is the 224.0.1.24 address used for?
What is WINS and when do we use it?
Can you have a Microsoft-based network without any WINS server on it? What are the "considerations" regarding not using WINS?
Describe the differences between WINS push and pull replications.
What is the difference between tombstoning a WINS record and simply deleting it?
Name the NetBIOS names you might expect from a Windows 2003 DC that is registered in WINS.
Describe the role of the routing table on a host and on a router.
What are routing protocols? Why do we need them? Name a few.
What are router interfaces? What types can they be?
In Windows 2003 routing, what are the interface filters?
What is NAT?
What is the real difference between NAT and PAT?
How do you configure NAT on Windows 2003?
How do you allow inbound traffic for specific hosts on Windows 2003 NAT?
What is VPN? What types of VPN does Windows 2000 and beyond work with natively?
What is IAS? In what scenarios do we use it?
What's the difference between Mixed mode and Native mode in AD when dealing with RRAS?
What is the "RAS and IAS" group in AD?
What are Conditions and Profile in RRAS Policies?
What types or authentication can a Windows 2003 based RRAS work with?
How does SSL work?
How does IPSec work?
How do I deploy IPSec for a large number of computers?
What types of authentication can IPSec use?
What is PFS (Perfect Forward Secrecy) in IPSec?
How do I monitor IPSec?
Looking at IPSec-encrypted traffic with a sniffer. What packet types do I see?
What can you do with NETSH?
How do I look at the open ports on my machine?
Subscribe to:
Posts (Atom)
