abstract type: A type used in this specification whose representation need not be standardized for interoperability because the type's use is internal to the specification. See concrete type.
access control entry (ACE): An entry in an access control list (ACL). An ACE contains a set of access rights and a security identifier (SID) that identifies the principal (including group principals) for whom the rights are allowed, denied, or audited.
access control list (ACL): A sequence of access control entries (ACEs) that describes the rules for authorizing access to some resource; for example, an object or set of objects.
Active Directory: Either Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS).
Active Directory Domain Services (AD DS): AD DS is an operating system directory service implemented by a domain controller (DC). The directory service provides a data store for objects that is distributed across multiple DCs. The DCs interoperate as peers to ensure that a local change to an object replicates correctly across DCs. AD DS first became available as part of Windows 2000 and is available as part of Windows 2000 Server and Windows Server 2003 products; in these products it is called "Active Directory". It is also available as part of Windows Server 2008 and Windows Server 7. AD DS is not present in Windows 3.1, Windows NT 3.51, Windows NT 4.0, or Windows XP. For more information, see [MS-SECO] section 2.5.2 and [MS-ADTS].
Active Directory Lightweight Directory Services (AD LDS): AD LDS is an operating system directory service implemented by a domain controller (DC). The most significant difference between AD LDS and AD DS is that AD LDS does not host domain NCs. A server can host multiple AD LDS DCs. (In Microsoft documentation, AD LDS is sometimes called "ADAM".)
application NC: A specific type of naming context (NC). An application NC does not contain security principal objects and does not appear in the GC. The root of an application NC is an object of class domainDNS. See domainDNS.
attribute: (Note: This definition is a specialization of the "attribute" concept that is described in section 1, Introduction.) An identifier for a single- or multivalued data element associated with an LDAP directory object. An object consists of its attributes and their values. For example, cn (common name), street (street address), and mail (e-mail addresses) can all be attributes of a user object. An attribute's schema, including the syntax of its values, is defined in an attributeSchema object.
attribute syntax: A specification of the format and range of permissible values of an attribute. The syntax of an attribute is defined by several attributes on the attributeSchema object. Attribute syntaxes supported by Active Directory include Boolean, Enumeration, Integer, LargeInteger, String(UTC-Time), String(Unicode), and Object(DS-DN).
attributeID: The attributeID attribute. An OID-valued identifying attribute of each attributeSchema object in the schema NC.
back link attribute: A computed attribute whose values include object references (for example, an attribute of syntax Object(DS-DN)). The values are derived from the values of a related attribute, a forward link attribute, on other objects. If f is the forward link attribute, one back link value exists on object o for each object r that contains a value of o for attribute f. The relationship between forward link attributes and back link attributes is expressed using the linkID attribute on the attributeSchema objects representing the two attributes. The forward link's linkID is an even number, and the back link's linkID is the forward link's linkID plus one. For more information, see [MS-ADTS] section 3.1.1.1.6.
binary OID: An object identifier (OID) in a Basic Encoding Rules (BER)–encoded binary format, as specified in [ITUX690] section 8.19.
built-in domain: The SID namespace that is defined by the fixed SID S-1-5-32. The built-in domain contains groups that define roles on a local computer, such as "Backup Operators".
built-in domain SID: The fixed SID S-1-5-32 of the built-in domain.
built-in principal: A security principal within the built-in domain whose SID is identical in every domain.
canonical name: A syntactic transformation of an Active Directory distinguished name (DN) into something resembling a path that still identifies an object within a forest. The DN "cn=Peter Houston, ou=NTDEV, dc=microsoft, dc=com" translates to the canonical name "microsoft.com/NTDEV/Peter Houston", while the DN "dc=microsoft, dc=com" translates to the canonical name "microsoft.com/". See domainDNS.
child object, children: See section 1, Introduction.
class: See object class.
computer object: An object of class computer. A computer object is a security principal object; the principal is the operating system running on the computer. The shared secret allows the operating system running on the computer to authenticate itself independently of any user running on the system. See security principal.
concrete type: A type used in this specification whose representation must be standardized for interoperability. Specific cases include types in the IDL definition of an RPC interface, types sent over RPC but whose representation is unknown to RPC, and types stored as byte strings in directory attributes.
configuration naming context (config NC): A specific type of NC that contains configuration information. A forest has a single config NC, which is shared among all DCs in the forest.
critical object: A subset of the objects in the default NC, identified by the attribute isCriticalSystemObject having the value TRUE. The objects that are marked in this way are essential for the operation of a DC hosting the NC.
crossRef object: An object of class crossRef. Each crossRef object is a child of the partitions container in the config NC. A crossRef describes the properties of an NC, such as its DNS name, operational settings, and so on.
default naming context (default NC): Part of the state of a DC. A DC's default NC is the NC of its default NC replica. A DC's default NC contains the DC's computer object.
default naming context replica (default NC replica): Part of the state of a DC. A DC's default NC replica is the full domain NC replica hosted by the DC.
deleted-object: An object that has been deleted, but that remains in storage until a configured amount of time (the deleted-object lifetime) has passed, after which the object is transformed into a recycled-object. Unlike a recycled-object or a tombstone, a deleted-object maintains virtually all the state of the object before deletion and may be undeleted without loss of information. Deleted-objects exist only when the Recycle Bin optional feature is enabled.
deleted-object lifetime: The time period that a deleted-object is kept in storage before it is transformed into a recycled-object.
directory object (or object): An Active Directory object, which is a specialization of the "object" concept that is described in section 1, Introduction. The identifying attribute is objectGUID, and the parent-identifying attribute (not exposed as an LDAP attribute) is parent. Active Directory objects are similar to LDAP entries, as defined in [RFC2251]; the differences are specified in [MS-ADTS] section 3.1.1.3.1.
distinguished name (DN): A human-readable name for an object; every object has a DN. Active Directory DNs are LDAP DNs [RFC2251], restricted as specified in [MS-ADTS] section 3.1.1.3.1.2.1. The DN of an object is the object's RDN followed by "," followed by the DN of its parent; for example: "cn=Peter Houston, ou=NTDEV, dc=microsoft, dc=com". See canonical name.
domain: A unit of security administration and delegation in a Microsoft Windows network. For more information, see [MS-SECO] section 2.5, and [MS-ADTS].
domain naming context (domain NC): A type of NC that represents a domain. A domain NC can contain security principal objects; no other type of NC can contain security principal objects. Domain NCs appear in the GC. A forest has one or more domain NCs. The root of a domain NC is an object of class domainDNS. See domainDNS.
domain security identifier (domain SID): The SID of the root object of a domain NC. The relative identifier (RID) portion of the domain SID is always zero. Every security principal object in a domain NC has an objectSid attribute equal to the domain SID except for the RID portion.
domainDNS: A specific object class. The root of a domain NC or an application NC is an object of class domainDNS. The DN of such an object takes the form
dc=n1,dc=n2, ... dc=nk
where each ni satisfies the syntactic requirements of a DNS name component. For more information, see [RFC1034]. Such a DN corresponds to the DNS name
n1.n2. ... .nk
This is the DNS name of the NC, and it allows replicas of the NC to be located by using DNS.
DSA GUID: The objectGUID of a DSA object.
DSA object: An object of class nTDSDSA, always located in the config NC. This object represents a DC in the forest.
DSName: A DSName is a tuple that contains between one and three identifiers for an object. The possible identifiers are the object's GUID (attribute objectGUID), SID (attribute objectSid), and DN (attribute distinguishedName). Given a DSName, an object can be identified within a set of NC replicas according to the matching rules defined in section 5.32.
dynamic object: An object with a "time-to-die" attribute, msDS-Entry-Time-To-Die. Active Directory "garbage-collects" a dynamic object immediately after the time-to-die of the object has passed. The constructed attribute entryTTL gives a dynamic object's current "time-to-live"; that is, the difference between the current time and msDS-Entry-Time-To-Die. See [RFC2589].
endpoint: A network-specific address of a server process for remote procedure calls. The actual name of the endpoint depends on the RPC protocol sequence being used. For example, for the NCACN_IP_TCP RPC protocol sequence, an endpoint might be TCP port 1025. For more information, see [C706].
entry: A term often used as a synonym for object, but not in this document.
extended canonical name: Same as a canonical name, except that the rightmost forward slash ('/') is replaced with a newline character.
flexible single master operation: See FSMO.
forest root domain NC: The domain NC within a forest that is the parent of the config NC. The DNS name of the forest root domain NC serves as the forest's name.
forward link attribute: A specific type of attribute. The values of a forward link attribute include object references (for example, syntax Object(DS-DN)). The forward link values can be used to compute the values of a related attribute, that is a back link attribute, on other objects. A forward link attribute can exist with no corresponding back link attribute, but not vice versa. See [MS-ADTS] section 3.1.1.1.6.
FSMO (flexible single master operation): A read or update operation on an NC, such that the operation must be performed on the single designated "master" replica of that NC. The master replica designation is "flexible" because it can be changed without losing the consistency gained from having a single master. This term (pronounced "fizmo") is never used alone; see FSMO role, FSMO role owner.
FSMO role: A set of objects that can be updated in only one NC replica at any given time. For more information, see [MS-ADTS] section 3.1.1.1.11. See FSMO role owner.
FSMO role abandon: A request to a DC D. The effect is for D to request the current owner of a specified FSMO role to transfer the role to D (see FSMO role transfer). Abandon is typically initiated by the current role owner in anticipation of being unable to host the role; for example, because the DC is being decommissioned. The server-to-server methods required to implement any aspect of a FSMO role, or to transfer a FSMO role from one DC to another DC, are not included in this document and are not required for interoperation with Windows client operating systems.
FSMO role object: The object in the domain or forest that represents a specific FSMO role. This object is a member of the FSMO role and contains the fSMORoleOwner attribute.
FSMO role transfer: A request to a DC D. If D is the current owner of the specified FSMO role, the effect is to transfer that role to the client; if D is not the current owner of the role, the effect is to update the client's role objects from D's replica, so that the client can try the request again on another DC. The server-to-server methods required to implement any aspect of a FSMO role, or to transfer a FSMO role from one DC to another DC, are not included in this document and are not required for interoperation with Windows client operating systems.
global group: An Active Directory group that allows user objects from its own domain and global groups from its own domain as members. Universal groups can contain global groups. A group object G is a global group if GROUP_TYPE_ACCOUNT_GROUP is present in G's groupType attribute. A global group contributes to the creation of security contexts if GROUP_TYPE_SECURITY_ENABLED is present in G's groupType attribute; in this case the group is valid for inclusion within access control lists (ACLs) anywhere in the forest.
globally unique identifier (GUID): A 128-bit value used in cross-process communication to identify entities such as client and server interfaces and RPC objects. For more information, see [C706]. A string representation of GUIDs, commonly called the "dashed-string" representation, is specified in [RFC4122] section 3.
governsID: The governsID attribute. An OID-valued identifying attribute of each classSchema object in the schema NC.
group: See group object.
group object: An object of class group, representing a set of objects. A group has a forward link attribute member; the values of this attribute either represent elements of the group (for example, objects of class user or computer) or represent subsets of the group (objects of class group). Representation of group subsets is called "nested group membership". The back link attribute memberOf enables navigation from group members to the groups containing them. Some groups represent groups of security principals and some do not (and are, for example, used to represent e-mail distribution lists).
group principal: A group representing a collection of security principals. A group principal can be used in an ACE to collectively grant or deny permissions to all the security principals in that group.
invocation ID: A unique identifier for a function that maps from update sequence numbers (USNs) to updates to the NC replicas of a DC.
Knowledge Consistency Checker (KCC): An internal Windows component of Active Directory replication used to create spanning trees for server-to-server replication and to translate those trees into settings of variables that implement the replication topology. The implementation details of this component are not included in this document and are not required for interoperation with Windows client operating systems.
lingering object: An object that still exists in an NC replica even though it has been deleted and "garbage-collected" from other replicas. These objects are a consequence of a characteristic of the server-to-server replication implementation. Lingering objects can occur in this implementation, for example, when a DC goes offline for longer than the tombstone lifetime. The specific details of the implementation that can create a lingering object are not included in this document and are not required for interoperation with Windows client operating systems.
mixed mode: A state of an Active Directory domain that supports DCs running Windows NT Server 4.0. Mixed mode does not allow organizations to take advantage of new Active Directory features such as universal groups, nested group membership, and interdomain group membership. See native mode.
naming context (NC): An NC is a DSName, containing at least a DN and a GUID, used in forming names for a tree of objects. The DN of the DSName is the distinguishedName attribute of the tree root. The GUID of the DSName is the objectGUID attribute of the tree root. The SID of the DSName, if present, is the objectSid attribute of the tree root; the SID is present if and only if the NC is a domain NC. Active Directory allows NCs to be organized into a tree structure.
native mode: A state of an Active Directory domain in which all current and future DCs run Windows 2000 Server or higher; no DCs run Windows NT Server 4.0. Native mode allows organizations to take advantage of new Active Directory features such as universal groups, nested group membership, and interdomain group membership. See mixed mode.
NC replica: A variable containing a tree of objects whose root object is identified by some NC.
nTDSDSA object: An object of class nTDSDSA. See DSA object.
object: See section 1, Introduction.
object class: See section 1, Introduction.
object class name: The lDAPDisplayName of the classSchema object of a class. This document consistently uses object class names to denote classes; for example, user and group are both object class names. The correspondence between LDAP display names and numeric OIDs in the Active Directory schema is specified in the following appendices of [MS-ADTS]: [MS-ADSC], [MS-ADA1], [MS-ADA2], and [MS-ADA3].
object identifier (OID): A sequence of numbers in a format defined in [RFC1778]. See attributeID, governsID.
object of class x (or x object): An object O such that one of the values of its objectClass attributes is x. For example, if O's objectClass contains the value user, O is an object of class user. This is often contracted to "user object".
object reference: An attribute value that identifies an object; reading an object reference gives the DN or full DSName of the object.
objectClass: The objectClass attribute. The attribute on an object that holds the object class name of each object class of the object.
objectGUID: The objectGUID attribute. The identifying attribute on an object, in the sense of the "object" concept that is described in section 1, Introduction. The value of an object's objectGUID is a GUID assigned when the object was created and is immutable thereafter. The integrity of object references between NCs and of replication depends on the integrity of the objectGUID attribute.
objectSid: The objectSid attribute. The attribute on an object whose value is a SID that identifies the object as a security principal object. The value of an object's objectSid is assigned when the security principal object was created and is immutable thereafter unless the object moves to another domain. The integrity of authentication depends on the integrity of the objectSid attribute.
optional feature: A non-default behavior that modifies the Active Directory state model. For more information, refer to [MS-ADTS] section 3.1.1.8.
oriented tree: A directed acyclic graph such that for every vertex v, except one (the root), there is a unique arc whose initial vertex is v. There is no arc whose initial vertex is the root. For more information, see [KNUTH1] section 2.3.4.2.
parent object: See section 1, Introduction.
partial NC replica: An NC replica that contains a schema-specified subset of attributes for the objects that it contains. A partial NC replica is not writable—it does not accept originating updates. See writable NC replica.
Partitions container: A child object of the config NC root. The RDN of the Partitions container is "cn=Partitions" and its class is crossRefContainer. See crossRef Object.
PDC emulator: A DC that is designated to track changes made to the accounts of all computers in a domain. The PDC emulator is the only computer to receive these changes directly and is specialized so as to ensure consistency and to eliminate the potential for conflicting entries in the Active Directory database. A domain has only one PDC emulator.
primary domain controller (PDC): See PDC emulator.
principal: See security principal.
read permission: Authorization to read an attribute of an object. For more information, see [MS-ADTS] section 5.1.3.
Recycle Bin: An optional feature that modifies the state model of object deletions and undeletions, making undeletion of deleted-objects possible without loss of the object's attribute values. For more information, refer to [MS-ADTS] section 3.1.1.8.1.
recycled-object: An object that has been deleted, but that remains in storage until a configured amount of time (the tombstone lifetime) has passed, after which the object is permanently removed from storage. Unlike a deleted-object, most of the state of the object has been removed, and the object may no longer be undeleted without loss of information. By keeping the recycled-object in existence for the tombstone lifetime, the deleted state of the object is able to replicate. Recycled-objects exist only when the Recycle Bin optional feature is enabled.
read-only domain controller (RODC or read-only DC): An AD DS DC that performs no originating updates.
relative distinguished name (RDN): The name of an object relative to its parent. This is the leftmost attribute-value pair in the DN of an object. For example, in the DN "cn=Peter Houston, ou=NTDEV, dc=microsoft, dc=com", the RDN is "cn=Peter Houston".
relative identifier (RID): The last item in the series of subauthority values in a SID (see [MS-DTYP] section 2.4.2). Differences in the RID are what distinguish the different SIDs generated within a domain.
replica: See section 1, Introduction.
replicated attribute: An attribute whose values are replicated. See replication.
replicated update: An update performed to an NC replica by the implemented replication system to propagate the effect of an originating update at another NC replica. The stamp assigned during the originating update to an attribute or a link value is preserved by replication. Neither this stamp nor any other specific aspects of a replicated update are required for interoperation with Windows client operating systems.
replication: The process of propagating the effects of all originating writes, to any replica of an NC, to all replicas of the NC. If originating writes cease and replication continues, all replicas converge to a common application-visible state. The description and details of the methods used for this server-to-server implementation are not included in this document and are not required for interoperation with Windows client operating systems.
RID allocation pool: The set of RIDs that a domain NC replica can assign to new objects having the objectSid attribute without obtaining more RIDs from the domain NC's RID available pool. See relative identifier (RID), objectSid.
RID available pool: The set of RIDs for a domain NC that have not been assigned to the RID allocation pool of any replica of the NC. The RID available pool is represented by the values of attributes within the domain NC's RID Master FSMO role.
root domain: See forest root domain NC.
RPC protocol sequence: A character string that represents a valid combination of an RPC protocol, a network layer protocol, and a transport layer protocol. For example, the protocol sequence NCACN_IP_TCP describes a Network Computing Architecture (NCA) connection over the Internet Protocol (IP) with a Transmission Control Protocol (TCP) as transport. For more information, see [C706] and [MS-RPCE] section 2.1.
schema naming context (schema NC): A specific type of NC that contains schema objects representing the schema. A forest has a single schema NC, which is replicated to each DC in the forest. Each attribute and class in the forest's schema is represented as a corresponding object in the forest's schema NC.
secret data: An implementation-specific set of attributes on objects of class user that contain security-sensitive information about the security principal.
security context: A data structure containing authorization information for a particular security principal in the form of a collection of SIDs. One SID identifies the principal specifically, whereas others may represent other capabilities. A server uses the authorization information in a security context to check access to requested resources.
security descriptor: A data structure containing the security information associated with a securable entity, such as an object. A security descriptor identifies an object's owner by SID. If access control is configured for the object, its security descriptor contains a discretionary access control list (DACL) with SIDs for the security principals who are allowed or denied access. The security descriptor format is specified in [MS-DTYP] section 2.4.6; a string representation of security descriptors, called SDDL, is specified in [MS-DTYP] section 2.5.1.
security identifier (SID): An identifier for a security principal object. The SID is composed of an account authority portion (typically corresponding to a domain) and an integer representing an identity relative to the account authority, termed the RID. The SID format is specified in [MS-DTYP] section 2.4.2; a string representation of a SID is specified in [MS-SECO] section 2.3. See relative identifier (RID).
security principal object: An object that corresponds to a security principal. A security principal object contains an identifier, used by the system and applications to name the principal, and a secret shared only by the principal. In Active Directory, a security principal object is identified by the objectSid attribute. In Active Directory, the domainDNS, user, computer, and group classes are examples of security principal object classes (though not every group object is a security principal object). See domainDNS, objectSid, computer object, group object, user object.
server object: A class of object in the config NC. A server object can have a DSA object as a child.
service account object: The security principal object that corresponds to the principal running a service. For a typical service (including some configurations of an AD LDS DC), this is a user object; for a service running as Local System or Network Service (including all AD DS DCs and the default configuration of an AD LDS DC), this is the computer object of the computer.
service principal name (SPN): The name a client uses to identify a service for mutual authentication. (For more information, see [RFC1964] section 2.1.1.) An SPN consists of either two parts or three parts, each separated by a forward slash ('/'). The first part is the service class name, the second part is the instance name, and the third part (if present) is the service name. For example, "ldap/dc-01.fabrikam.com/fabrikam.com" is a three-part SPN where "ldap" is the service class name, "dc-01.fabrikam.com" is the instance name, and "fabrikam.com" is the service name.
site: A collection of one or more well-connected (reliable and fast) TCP/IP subnets. By defining sites (represented by site objects), an administrator can optimize both Active Directory access and Active Directory replication with respect to the physical network. When a user logs in, an Active Directory client finds a DC that is in the same site as the client, or near the same site if there is no DC in the site. See Knowledge Consistency Checker (KCC), site object.
site object: An object of class site, representing a site.
site of a DC: The site object that is an ancestor of a DC's DSA object. See site object.
stamp: Information describing an originating update by a DC. The stamp is not the new data value; the stamp is information about the update that created the new data value. A stamp is often called metadata, because it is additional information that "talks about" the actual data values. Neither this stamp nor any other specific aspects of a replicated update are required for interoperation with Windows client operating systems.
STATUS code: A 32-bit quantity where zero represents success and nonzero represents failure. The specific failure codes used in this specification are documented in section 5, STATUS codes.
tombstone: An object that has been deleted, but remains in storage until a configured amount of time (the tombstone lifetime) has passed, after which the object is permanently removed from storage. By keeping the tombstone in existence for the tombstone lifetime, the deleted state of the object is able to replicate. Tombstones exist only when the Recycle Bin optional feature is not enabled.
tombstone lifetime: The amount of time that a tombstone or recycled-object is kept in storage before it is permanently deleted.
Unicode: An industry standard representation for text and symbols from the world's writing systems. UTF-16 is a 16-bit, variable-width encoding of Unicode; UTF-8 is an 8-bit, variable-width encoding.
universal group: An Active Directory group that allows user objects, global groups, and universal groups from anywhere in the forest as members. A group object G is a universal group if GROUP_TYPE_UNIVERSAL_GROUP is present in G's groupType attribute. A universal group contributes to the creation of security contexts if GROUP_TYPE_SECURITY_ENABLED is present in G's groupType attribute; in this case, the group is valid for inclusion within ACLs anywhere in the forest.
universally unique identifier (UUID): See GUID.
up-to-date vector: A structure in the Microsoft implementation of server-to-server replication that is a representation of an assertion about the presence of originating updates from different sources in an NC replica. This structure is used in the server-to-server replication implementation and is not required for interoperation with Windows client operating systems. See update sequence number (USN).
update: An add, modify, or delete of one or more objects or attribute values. See originating update, replicated update.
update sequence number (USN): A monotonically increasing sequence number used in assigning a stamp to an originating update. For more information, see [MS-ADTS] section 3.1.1.1.9. This structure is used in the server-to-server replication implementation, and is not required for interoperation with Windows client operating systems. See invocation ID.
user object: An object of class user. A user object is a security principal object; the principal is a person or service entity. The shared secret allows the person or service entity to authenticate itself.
well-known endpoint: A network-specific address that is known between client and server instances. See also Endpoint. For more information, see [C706].
Windows error code: A 32-bit quantity where zero represents success and nonzero represents failure. Specific failure codes are documented in [MS-ERREF].
writable NC replica: An NC replica that accepts originating updates. See full NC replica, partial NC replica.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment