A security mechanism that determines which operations a user, group, service, or computer is authorized to perform on a computer or on a particular object, such as a file, printer, registry subkey, or directory service object.
access control entry (ACE)
An entry in an object’s discretionary access control list (DACL) that grants permissions to a user or group. An ACE is also an entry in an object’s system access control list (SACL) that specifies the security events to be audited for a user or group.
access control list (ACL)
A list of security protections that apply to an entire object, a set of the object’s properties, or an individual property of an object. There are two types of access control lists: discretionary and system.
A data structure that contains the security identifier (SID) for a security principal, SIDs for the groups that the security principal belongs to, and a list of the security principal`s privileges (also called user rights) on the local computer.
Interactive or animated content used on the Internet. Active content includes ActiveX controls and web browser add-ons
The Windows-based directory service. Active Directory stores information about objects on a network and makes this information available to users and network administrators. Active Directory gives network users access to permitted resources anywhere on the network using a single logon process. It provides network administrators with an intuitive, hierarchical view of the network and a single point of administration for all network objects.
Active Directory Application Mode (ADAM)
A stand-alone directory service that is designed specifically for use with directory-enabled applications. Active Directory Application Mode (ADAM) does not require or depend on Active Directory forests or domains. ADAM stores and replicates only application-related information. ADAM does not store or replicate network operating system (NOS)-related information.
Active Directory Application Mode (ADAM) instance
For Active Directory Application Mode (ADAM), a single copy of the ADAM directory service, along with its associated directory store, assigned Lightweight Directory Access Protocol (LDAP) and Secure Sockets Layer (SSL) ports, and application event log. You can run multiple ADAM instances simultaneously on a single ADAM server.
Active Directory replication
The synchronization of Active Directory partition replicas between domain controllers. Replication automatically copies the changes that originate on a writable directory partition replica to all other domain controllers that hold the same directory partition replica. More specifically, a destination domain controller pulls these changes from the source domain controller.
Active Directory Service Interfaces (ADSI)
A directory service model and a set of Component Object Model (COM) interfaces. ADSI enables Windows applications and Active Directory clients to access several network directory services, including Active Directory. ADSI is supplied as a software development kit (SDK).
Active Directory Users and Computers
An administrative tool used by an administrator to perform day-to-day Active Directory administration tasks. The tasks that can be performed with this tool include creating, deleting, modifying, moving, and setting permissions on objects stored in the directory. Examples of objects in Active Directory are organizational units, users, contacts, groups, computers, printers, and shared file objects.
A partition from which a computer starts up. The active partition must be a primary partition on a basic disk. If you use Windows exclusively, the active partition can be the same as the system volume.
The volume from which the computer starts up. The active volume must be a simple volume on a dynamic disk. You cannot mark an existing dynamic volume as the active volume, but you can upgrade a basic disk containing the active partition to a dynamic disk. After the disk is upgraded to dynamic, the partition becomes a simple volume that is active.
A set of technologies that allows software components to interact with one another in a networked environment, regardless of the language in which the components were created.
Address Resolution Protocol (ARP)
In TCP/IP, a protocol that uses broadcast traffic on the local network to resolve a logically assigned Internet Protocol version 4 (IPv4) address to its physical hardware or media access control (MAC) layer address. In asynchronous transfer mode (ATM), ARP is used two different ways. For classical IPv4 over ATM (CLIP), ARP is used to resolve addresses to ATM hardware addresses. For ATM LAN emulation (LANE), ARP is used to resolve Ethernet/802.3 or Token Ring addresses to ATM hardware addresses.
application programming interface (API)
A set of routines that an application uses to request and carry out lower-level services performed by a computer`s operating system. These routines usually carry out maintenance tasks such as managing files and displaying information.
atomicity, consistency, isolation, durability (ACID)
The four essential properties of an electronic transaction. Atomicity is the ability to do or undo a transaction completely; consistency is the ability of a transaction to change a system from one consistent state to another consistent state; isolation is the ability for a transaction to occur independently of other transactions made at the same time; and durability is the ability of a transaction to persist, even during system failure.
For files, information that indicates whether a file is read-only, hidden, ready for archiving (backing up), compressed, or encrypted, and whether the file contents should be indexed for fast file searching.
Data that is recorded in the event log when specified system, application, and security-related events take place. Audit entries provide valuable data about system operations that can be used to identify system use and to diagnose system behavior.
The process that tracks the activities of users by recording selected types of events in the security log of a server or a workstation.
The protocol by which an entity on a network proves its identity to a remote entity. Typically, identity is proved with the use of a secret key, such as a password, or with a stronger key, such as the key on a smart card. Some authentication protocols also implement mechanisms to share keys between client and server to provide message integrity or privacy.
A duplicate copy of a program, a disk, or data, made either for archiving purposes or for safeguarding valuable files from loss in case the active copy is damaged or destroyed. Some application programs automatically make backup copies of data files, maintaining both the current version and the preceding version.
backup domain controller (BDC)
A domain controller running Windows NT Server 4.0 or earlier that receives a read-only copy of the directory database for the domain. The directory database contains all account and security policy information for the domain.
backup media pool
A logical collection of data-storage media that has been reserved for use by Microsoft Windows Backup. Backup uses Removable Storage to control access to specific media within a library.
A collection of files, folders, and other data that has been backed up and stored in a file or on one or more tapes
basic input/output system (BIOS)
The set of essential software routines that test computer hardware at startup, start the operating system, and support the transfer of information between hardware devices. The BIOS is stored in read-only memory (ROM) so that it can be run when the computer is turned on. Although critical to performance, the BIOS is usually invisible to computer users.
In Active Directory replication, a single server in a site that is designated to perform site-to-site replication for a specific domain and transport. In a messaging system, a server that receives and forwards e-mail traffic at each end of a connection agreement, similar to the task a gateway performs.
A region of random access memory (RAM) reserved for use with data that is temporarily held while waiting to be transferred between two locations, such as between an application`s data area and an input/output device.
A special memory subsystem in which frequently used data values are duplicated for quick access.
A file used by DNS servers and clients to store responses to DNS queries. For Windows DNS servers, the cache file is named Cache.dns by default.
The process of temporarily storing recently accessed information in a special memory subsystem for quicker access.
A program that extracts information from DNS servers in response to client requests.
A DNS sever that does not host any DNS zones but that performs name resolution and stores the results in its cache.
A network configuration in which hubs are connected to other hubs.
In data storage, the smallest amount of disk space that can be allocated to hold a file. All file systems used by Windows organize hard disks based on clusters, which consist of one or more contiguous sectors. The smaller the cluster size, the more efficiently a disk stores information. If no cluster size is specified during formatting, Windows picks defaults based on the size of the volume. These defaults are selected to reduce the amount of space that is lost and the amount of fragmentation on the volume. Also called an allocation unit. In computer networking, a group of independent computers that work together to provide a common set of services and present a single-system image to clients. The use of a cluster enhances the availability of the services and the scalability and manageability of the operating system that provides the services.
The adapter that, when using multiple network adapters in each host of a Network Load Balancing cluster, handles the network traffic for cluster operations (the traffic for all hosts in the cluster). This adapter is programmed with the host`s cluster IP address.
An application that configures a cluster and its nodes, groups, and resources. Cluster Administrator can run on any member of the trusted domain regardless of whether the computer is a cluster node.
Cluster Administrator extension
A software component that implements the Cluster Administrator extension application programming interface (API) for allowing Cluster Administrator to configure a new resource type.
A collection of functions that are implemented by the cluster software and used by a cluster-aware client or server application, a cluster management application, or a Resource DLL. The Cluster API is used to manage the cluster, cluster objects, and the cluster database.
cluster full Internet name
A full Internet name for the Network Load Balancing cluster (for example, cluster.microsoft.com). This name is used for the cluster as a whole and should be the same for all hosts in the cluster.
cluster IP address
The Network Load Balancing cluster`s IP address in standard Internet dotted notation (for example, w.x.y.z). The address is a virtual IP address used to address the cluster as a whole, and it should be the IP address that maps to the full Internet name that you specify for the cluster. In a Network Load Balancing cluster, this address must be set identically for all hosts in the cluster.
An optionally enabled trace record of Cluster service events on a node. Not synonymous with quorum log.
cluster network address
The network (media access control) address for the network adapter that is to be used for handling client-to-cluster traffic in a Network Load Balancing cluster.
The essential software component that controls all aspects of server cluster operation and manages the cluster database. Each node in a server cluster runs one instance of the Cluster service.
Storage where one or more attached disks hold data used either by server applications running on the cluster or by applications for managing the cluster. Each disk on the cluster storage is owned by only one node of the cluster. The ownership of disks moves from one node to another when the disk group fails over or moves to the other node.
An alternative to using Cluster Administrator to administer clusters from the command prompt. You can also call Cluster.exe from command scripts to automate many cluster administration tasks.
An application that can run on a cluster node and that can be managed as a cluster resource. Cluster-aware applications use the Cluster API to receive status and notification information from the server cluster.
An application that can run on a cluster node and be managed as a cluster resource but that does not support the Cluster API.
A component you can use to view and control many aspects of the computer configuration. Computer Management combines several administration utilities into a single console tree, providing easy access to a local or remote computer`s administrative properties and tools.
A framework for hosting administrative tools, such as Microsoft Management Console (MMC). A console is defined by the items in its console tree, which might include folders or other containers, World Wide Web pages, and other administrative items. A console has windows that can provide views of the console tree and the administrative properties, services, and events that are acted on by the items in the console tree.
In Task Manager, the total processor time, in seconds, used by a process since it started.
In Task Manager, the percentage of time that a process used the CPU since the last update. This percentage is displayed in Task Manager on the Processes tab, under the CPU column heading.
A feature of shadow copy backups that ensures all files are backed up, regardless of their state.
Crash Dump Type
Specifies the file format Dr. Watson will use to store the information. The Full format contains the entire memory space of the program, as well as the program image itself, the handle table, and other information that will be useful to the debugger. The Mini format may include the full memory and handle table, or it may simply contain information about a single thread. The Windows NT 4.0-compatible Full format provides you with the opportunity to use older tools to analyze the dump file. Crash Dump Type is only available when you have selected the Create Crash Dump File check box.
dedicated IP address
The IP address of a Network Load Balancing host used for network traffic that is not associated with the Network Load Balancing cluster (for example, Telnet access to a specific host within the cluster). This IP address is used to individually address each host in the cluster and therefore should be unique for each host.
A computer running the Microsoft DHCP service that offers dynamic configuration of IP addresses and related information to DHCP-enabled clients.
A service that enables a computer to function as a DHCP server and configure DHCP-enabled clients on a network. DHCP runs on a server, enabling the automatic, centralized management of IP addresses and other TCP/IP configuration settings for network clients.
DHCP service resource
A resource type that provides DHCP services from a cluster.
DHCP/BOOTP Relay Agent
The agent program or component responsible for relaying Dynamic Host Configuration Protocol (DHCP) and bootstrap protocol (BOOTP) broadcast messages between a DHCP server and a client across an Internet Protocol (IP) router. A DHCP relay agent supports DHCP/BOOTP message relay as defined in RFCs 1541 and 2131. The DHCP Relay Agent routing protocol component is managed using the Routing and Remote Access snap-in.
In Active Directory, a collection of computer, user, and group objects defined by the administrator. These objects share a common directory database, security policies, and security relationships with other domains. In DNS, any tree or subtree within the DNS namespace. Although the names for DNS domains often correspond to Active Directory domains, DNS domains should not be confused with Active Directory domains.
A person who is a member of the Domain Admins group. Domain administrators can create, delete, and manage all objects that reside within the domain in which they are administrators. They can also assign and reset passwords and delegate administrative authority for network resources to other trusted users.
In an Active Directory forest, a server that contains a writable copy of the Active Directory database, participates in Active Directory replication, and controls access to network resources. Administrators can manage user accounts, network access, shared resources, site topology, and other directory objects from any domain controller in the forest.
domain controller locator (Locator)
An algorithm running in the context of the Net Logon service that enables a client to locate a domain controller. Locator can find domain controllers by using DNS or network basic input/output system (NetBIOS) names. The DNS service (SRV) resource records registered by Locator on behalf of domain controllers are also known as domain controller locator (Locator) resource records.
An implementation of Distributed File System (DFS) in which DFS topological information is stored in Active Directory. Because this information is made available on multiple domain controllers in the domain, domain DFS provides fault tolerance for any distributed file system in the domain.
The functional level of an Active Directory domain that has one or more domain controllers running Windows Server 2003. The functional level of a domain can be raised to enable new Active Directory features that will apply to that domain only. There are four domain functional levels: Windows 2000 mixed, Windows 2000 native, Windows Server 2003 interim, and Windows Server 2003. The default domain functional level is Windows 2000 mixed. When the domain functional level is raised to Windows 2000 native, Windows Server 2003 interim, or Windows Server 2003, advanced domain-wide Active Directory features are available.
The parent/child tree structure of domains.
domain local group
A security or distribution group that can contain universal groups, global groups, other domain local groups from its own domain, and accounts from any domain in the forest. Domain local security groups can be granted rights and permissions on resources that reside only in the same domain where the domain local group is located.
The name given by an administrator to a collection of networked computers that share a common directory. Part of the DNS naming structure, domain names consist of a sequence of name labels separated by periods.
Domain Name System (DNS)
A hierarchical, distributed database that contains mappings of DNS domain names to various types of data, such as IP addresses. DNS enables the location of computers and services by user-friendly names, and it also enables the discovery of other information stored in the database.
The database structure used by DNS.
domain naming master
A domain controller that holds the domain naming operations master role in Active Directory. The domain naming master controls the addition or removal of domains in the forest. At any time, the domain naming master role can be assigned to only one domain controller in the forest.
domain of origin
The parent DNS domain name that is used to root either a zone or a resource record within a zone. This name is joined to the end of unqualified or relative domain names to form a fully qualified domain name (FQDN) within the zone. In DNS Manager, the domain of origin will correspond to the zone name as it appears in the Add Zone Wizard or the name that appears in the Parent domain name field for any resource records created within the zone.
A DFS namespace, for which the configuration information is stored in Active Directory. The path to access the root or a link starts with the host domain name. A domain root can have multiple root targets, which offer fault tolerance and load sharing at the root level.
For DNS, an optional parent domain name that can be appended to the end of a relative domain name used in a name query or host lookup. The domain suffix can be used to complete an alternate fully qualified DNS domain name to be searched when the first attempt to query a name fails.
In DNS, the inverted hierarchical tree structure that is used to index domain names. Domain trees are similar in purpose and concept to the directory trees used by computer filing systems for disk storage. For example, when numerous files are stored on disk, directories can be used to organize the files into logical collections. When a domain tree has one or more branches, each branch can organize domain names used in the namespace into logical collections. In Active Directory, a hierarchical structure of one or more domains, connected by transitive, bidirectional trusts, that forms a contiguous namespace. Multiple domain trees can belong to the same forest.
Encrypting File System (EFS)
A feature in this version of Windows that enables users to encrypt files and folders on an NTFS volume disk to keep them safe from access by intruders.
Any significant occurrence in the system or an application that requires users to be notified or an entry to be added to a log.
Event Log service
A service that records events in the system, security, and application logs. The Event Log service is located in Event Viewer.
The process of recording an audit entry in the audit trail whenever certain events occur, such as services starting and stopping or users logging on and off and accessing resources.
A component you can use to view and manage event logs, gather information about hardware and software problems, and monitor security events. Event Viewer maintains logs about program, security, and system events.
In the Macintosh environment, one of the user categories to which you assign permissions for a folder. Permissions granted to everyone apply to all users who use the server, including guests.
A small range of one or more IP addresses within a DHCP scope excluded from the DHCP service. Exclusion ranges ensure that these scope addresses will never be offered to clients by the DHCP server.
Type of memory that can be added to IBM personal computers. The use of expanded memory is defined by the Expanded Memory Specification (EMS), which supports memory boards containing RAM that can be enabled or disabled by software.
A socket in a computer, designed to hold expansion boards and connect them to the system bus.
For DNS, the number of seconds that DNS servers operating as secondary masters for a zone will use to determine if zone data should be expired when the zone is not refreshed and renewed.
Object permissions that are defined when the object is created, specifically assigned, or changed by the owner of the object.
For Message Queuing, a message that uses fewer resources and is faster than a recoverable message. However, because express messages are mapped to memory, they are lost if the computer storing them fails.
Memory beyond one megabyte in 80286, 80386, 80486, and Pentium computers.
A type of partition that you can create only on basic master boot record (MBR) disks. Extended partitions are useful if you want to create more than four volumes on a basic MBR disk. Unlike primary partitions, you do not format an extended partition with a file system and then assign a drive letter to it. Instead, you create one or more logical drives within the extended partition. After you create a logical drive, you format it and assign it a drive letter. An MBR disk can have up to four primary partitions or three primary partitions, one extended partition, and multiple logical drives
The process of moving resources, either individually or in a group, back to their preferred node after the node has failed and come back online.
Parameters that an administrator can set using Cluster Administrator that affect failback operations.
A state that applies to a resource or a node in a cluster. A resource or a node is placed in the failed state after an unsuccessful attempt has been made to bring it online.
In server clusters, the process of taking resource groups offline on one node and bringing them online on another node. When failover occurs, all resources within a resource group fail over in a predefined order; resources that depend on other resources are taken offline before, and are brought back online after, the resources on which they depend.
Parameters that an administrator can set using Cluster Administrator that affect failover operations.
A system used to store files on a computer drive. FAT32 is based on the file allocation table (FAT) file system, but it uses 32-bit values for storing files instead of the 16-bit values used by the original FAT file system. FAT32 offers more efficient drive space allocation by creating smaller clusters than FAT and supports volumes of up to 2 terabytes (TB) of size.
The ability of computer hardware or software to ensure data integrity when hardware failures occur. Fault-tolerant features appear in many server operating systems and include mirrored volumes, RAID-5 volumes, and server clusters.
file allocation table (FAT)
A file system used by MS‑DOS and other Windows operating systems to organize and manage files. The file allocation table is a data structure that Windows creates when you format a volume by using FAT or FAT32 file systems. Windows stores information about each file in the file allocation table so that it can retrieve the file later.
file control block (FCB)
A small block of memory temporarily assigned by a computer’s operating system to hold information about a file that has been opened for use. An FCB typically contains such information as the file’s identification, its location on disk, and a pointer that marks the user’s current (or last) position in the file.
A four-character sequence that identifies which program was used to create a file. With Services for Macintosh, you can associate file name extensions with file creators and file types to specify which program starts automatically when you open a file with a particular extension.
file encryption key (FEK)
A pseudo-random cryptographic key that Encrypting File System (EFS) uses to encrypt a file. The FEK is encrypted by the public key of the user performing the encryption, and it is typically different for each encrypted file.
One of two subfiles of a Macintosh file. When Macintosh files are stored on a computer running Services for Macintosh, each fork is stored as a separate file. Each fork can be independently opened by Macintosh users.
A File Server Resource Manager option that is used to define a namespace for a file screen, file screen exception, or storage report. It consists of a set of file name patterns, which in turn determine whether files are included or excluded from a group.
File Replication service (FRS)
A service that provides multimaster file replication for designated directory trees between designated servers running Windows Server 2003. The designated directory trees must be on disk partitions formatted with the version of NTFS used with the Windows Server 2003 family. FRS is used by Distributed File System (DFS) to automatically synchronize content between assigned replicas and by Active Directory to automatically synchronize content of the system volume information across domain controllers.
A File Server Resource Manager option that is used to block certain files from being saved on a volume or in a folder tree. A file screen is applied at the folder level and affects all folders and subfolders in the designated path.
File Server for Macintosh
A service that allows users of Macintosh computers to store, access, and share files on servers running Services for Macintosh. Also called MacFile.
File Server Resource Manager
A suite of tools that allows administrators to understand, control, and manage the quantity and type of data stored on their servers.
In a server cluster, any folder that has an associated File Share resource and is managed by the Cluster service. The file share can fail over from one node to another, but to the end user, the folder looks like a regular folder that remains in one location. Multiple users can access a file share.
File Share resource
A file share accessible by a network path that is supported as a cluster resource by a Resource DLL.
In an operating system, the overall structure in which files are named, stored, and organized. NTFS, FAT, and FAT32 are types of file systems.
file system cache
An area of physical memory that holds frequently used pages. It allows applications and services to locate pages rapidly and reduces disk activity.
File Transfer Protocol (FTP)
A member of the TCP/IP suite of protocols, used to copy files between two computers on the Internet. Both computers must support their respective FTP roles: one must be an FTP client and the other an FTP server.
In the Windows environment, a designation of the operational or structural characteristics of a file. The file type identifies the program, such as Microsoft Word, that is used to open the file. File types are associated with a file name extension. For example, files that have the .txt or .log extension are of the Text Document type and can be opened using any text editor. In the Macintosh environment, a four-character sequence that identifies the type of a Macintosh file. The Macintosh Finder uses the file type and file creator to determine the appropriate desktop icon for that file.
For Indexing Service, software that extracts content and property values from a document to index them. For Internet Protocol security (IPSec), a specification of Internet Protocol (IP) traffic that provides the ability to trigger security negotiations for a communication based on the source, destination, and type of IP traffic. For Internet Information Services (IIS), a feature of Internet Server Application Programming Interface (ISAPI) that allows preprocessing of requests and postprocessing of responses, permitting site-specific handling of Hypertext Transfer Protocol (HTTP) requests and responses. In IP and Internetwork Packet Exchange (IPX) packet filtering, a definition in a series of definitions that indicates to the router the type of traffic allowed or disallowed on each interface.
Software routines and low-level input/output instructions stored in read-only memory (ROM). Unlike random-access memory (RAM), read-only memory stays intact even in the absence of electrical power.
One or more Active Directory domains that share the same class and attribute definitions (schema), site and replication information (configuration), and forest-wide search capabilities (global catalog). Domains in the same forest are linked with two-way, transitive trust relationships.
The functional level of an Active Directory forest that has one or more domain controllers running Windows Server 2003. The functional level of a forest can be raised to enable new Active Directory features that will apply to every domain in the forest. There are three forest functional levels: Windows 2000, Windows Server 2003 interim, and Windows Server 2003. The default forest functional level is Windows 2000. When the forest functional level is raised to Windows Server 2003 interim or Windows Server 2003, advanced forest-wide Active Directory features are available.
forest root domain
The first domain created in a new forest. The forest-wide administrative groups, Enterprise Admins and Schema Admins, are located in this domain. As a best practice, new domains are created as children of the forest root domain.
A trust between two Windows Server 2003 forests that forms trust relationships between every domain in both forests. A forest trust can be created only between the forest root domains in each forest. Forest trusts are transitive, and they can be one-way or two-way. An administrator must manually establish a forest trust, unlike an automatically established trust, such as a parent-child trust.
A collection of users, computers, contacts, and other groups. Groups can be used as security or as e-mail distribution collections. Distribution groups are used only for e-mail. Security groups are used both to grant access to resources and as e-mail distribution lists.
A collection of user accounts. By making a user account a member of a group, you give the related user all the rights and permissions granted to the group.
group identifier (GID)
An identifier in UNIX that associates a user with a group of other users that have something in common. A user can be a member of one or more groups.
The groups to which a user account belongs. Permissions and rights granted to a group are also provided to its members. In most cases, the actions a user can perform in Windows are determined by the group memberships of the user account to which the user is logged on.
The infrastructure within Active Directory directory service that enables directory-based change and configuration management of user and computer settings, including security and user data. You use Group Policy to define configurations for groups of users and computers. With Group Policy, you can specify policy settings for registry-based policies, security, software installation, scripts, folder redirection, remote installation services, and Internet Explorer maintenance. The Group Policy settings that you create are contained in a Group Policy object (GPO). By associating a GPO with selected Active Directory system containers—sites, domains, and organizational units—you can apply the GPO`s policy settings to the users and computers in those Active Directory containers. To create an individual GPO, use the Group Policy Object Editor. To manage Group Policy objects across an enterprise, you can use the Group Policy Management console.
Group Policy Management console (GPMC)
An optional tool that unifies and centralizes administration of Group Policy.
Group Policy object (GPO)
A collection of Group Policy settings. GPOs are essentially the documents created by the Group Policy Object Editor. GPOs are stored at the domain level, and they affect users and computers that are contained in sites, domains, and organizational units. In addition, each computer has exactly one group of policy settings stored locally, called the local Group Policy object.
Group Policy Object Editor
The Microsoft Management Console (MMC) snap-in that is used to edit Group Policy objects (GPOs).
Group Policy object link
A method of applying settings in a Group Policy object (GPO) to an Active Directory container (site, domain, or organizational unit). Linking a GPO applies the settings of that GPO to the users and computers in a site, domain, or organizational unit and, by default, to the users and computers in all child containers.
Group Policy Security Settings
The subtrees of the Group Policy Object Editor that allow a security administrator to manually configure security levels assigned to a Group Policy object (GPO) or local computer policy.
A signal emitted at regular intervals by software to indicate that it is still running.
Any device on a TCP/IP network that has an Internet Protocol (IP) address. Examples of hosts include servers, workstations, network-interface print devices, and routers. Sometimes used to refer to a specific network computer that is running a service used by network or remote clients. For Network Load Balancing, a cluster consists of multiple hosts connected over a local area network (LAN).
The domain in which a DFS namespace has been configured.
The portion of the IP address that identifies a computer within a particular network ID.
The DNS name of a device on a network. These names are used to locate computers on the network. To find another computer, its host name must either appear in the Hosts file or be known by a DNS server. For most Windows-based computers, the host name and the computer name are the same.
For Network Load Balancing, a host`s precedence for handling default network traffic for TCP and UDP ports. It is used if a host within the cluster goes offline, and it determines which host within the cluster will assume responsibility for the traffic previously handled by the offline host.
The server on which a root target is located.
A local text file in the same format as the 4.3 Berkeley Software Distribution (BSD) UNIX /etc/hosts file. This file maps host names to IP addresses, and it is stored in the \%Systemroot%\System32\Drivers\Etc folder.
Lightweight Directory Access Protocol (LDAP)
The primary access protocol for Active Directory. LDAP is an industry-standard protocol, established by the Internet Engineering Task Force (IETF), that allows users to query and update information in a directory service. Active Directory supports both LDAP version 2 and LDAP version 3.
majority node set server cluster
A cluster configuration that has two or more nodes and that is configured so that the nodes may or may not be attached to one or more cluster storage devices. The cluster configuration data is stored on multiple disks across the cluster, and the Cluster service makes sure that this data is kept consistent across the different disks. There are advantages and limitations for each cluster configuration (single node server cluster, single quorum device server cluster, and majority node set server cluster).
Any program that is created to do intentional harm to or compromise the security of a computer. Examples of malicious programs include trojan horses and computer viruses.
A person who has legitimate access to a system and poses a security threat to it, such as someone who tries to elevate their user rights to gain access to unauthorized data.
A local NTFS file system 5.0 volume whose disk space is managed by Remote Storage. Remote Storage frees up disk space by automatically moving infrequently accessed files to a remote storage device.
Management and Monitoring Tools
Software components that include utilities for network management and monitoring, along with services that support client dialing and the updating of client phone books. Also included is the Simple Network Management Protocol (SNMP).
management information base (MIB)
A set of objects that represent various types of information about a device, used by Simple Network Management Protocol (SNMP) to manage the device. Because different network management services are used for different types of devices and protocols, each service has its own set of objects.
A network-enabled host running Simple Network Management Protocol (SNMP) management software. This software requests information from SNMP agents. Also called a management console.
mandatory user profile
A user profile that is not updated when the user logs off. It is downloaded to the user’s desktop each time the user logs on, and it is created by an administrator and assigned to one or more users to create consistent or job-specific user profiles. Only members of the Administrators group can change profiles.
A security attack in which an attacker intercepts and possibly modifies data that is transmitted between two users. The attacker pretends to be the other person to each user. In a successful man-in-the-middle attack, the users are unaware that there is an attacker between them, intercepting and modifying their data. Also referred to as a bucket brigade attack.
master boot record (MBR)
The first sector on a hard disk, which begins the process of starting the computer. The MBR contains the partition table for the disk and a small amount of executable code called the master boot code.
master file table (MFT)
An NTFS system file on NTFS-formatted volumes that contains information about each file and folder on the volume. The MFT is the first file on an NTFS volume.
An authoritative DNS server for a zone. Master servers can vary and are one of two types (either primary or secondary masters), depending on how the server obtains its zone data.
In Network Information Service (NIS), a server that provides periodic updates of NIS maps to subordinate servers. A Windows-based master server running Server for NIS can push periodic updates to both UNIX-based and Windows-based subordinate servers. Master servers running Server for NIS update Server for NIS subordinate servers through an Active Directory database shared with the subordinate server.
A drive attached to an empty folder on an NTFS volume. Mounted drives function the same as any other drive, but are assigned a label or name instead of a drive letter. The mounted drive`s name is resolved to a full file system path instead of just a drive letter. Members of the Administrators group can use Disk Management to create mounted drives or reassign drive letters.
multicast server (MCS)
A service that manages zero or more multicast groups and distributes multicast data sent to it by clients of those multicast groups through point-to-multipoint connections.
A computer configuration that runs two or more operating systems.
An entity, such as a file, folder, shared folder, printer, or Active Directory object, described by a distinct, named set of attributes. For example, the attributes of a File object include its name, location, and size; the attributes of an Active Directory User object might include the user’s first name, last name, and e-mail address. For OLE and ActiveX, an object can also be any piece of information that can be linked to, or embedded into, another object.
object access event category
In auditing, a group of events that are logged when an object, such as a file or folder, is accessed by means of an action for which auditing has been enabled. For example, object access events might be logged when a file is opened, modified, or deleted.
A distinct, named set of attributes that represents a specific type of entity stored in the directory, such as users, printers, or applications. The attributes include data describing the thing that is identified by the directory object. Attributes of a user might include the user`s first name, last name, and e-mail address.
A number that identifies an object class or attribute. Object identifiers (OIDs) are organized into an industry-wide global hierarchy. An object identifier is represented as a dotted decimal string, such as 22.214.171.124, with each dot representing a new branch in the hierarchy. National registration authorities issue root object identifiers to individuals or organizations, who manage the hierarchy below their root object identifier.
See other term: Open Database Connectivity (ODBC)
A state that marks a component in a cluster as unavailable. A node in an offline state is either inactive or not running. Resources and groups also have an offline state.
For Message Queuing, a condition in which a computer that belongs to a domain is temporarily unable to communicate with a domain controller. This occurs when the computer itself is offline, all domain controllers in the site are offline, or when an attempt is made to access a remote computer and the remote computer is temporarily unable to query a domain controller for authentication.
A way to transfer and share information between applications by pasting information created in one application into a document created in another application, such as a spreadsheet or word processing file.
Information stored on a local disk drive. The on-disk catalog contains a list of files and folders that have been backed up in a backup set.
A trust relationship between two domains in which only one of the two domains trusts the other domain. For example, domain A trusts domain B, and domain B does not trust domain A. One-way trusts are often used to enable authenticated access to resource domains.
A state that marks a component in a cluster as available. When a node is online, it is an active member of the cluster and can own and run groups as well as honor cluster database updates, contribute votes to the quorum algorithm, and maintain heartbeats. Resources and groups also have an online state.
Information stored on backup storage media. The on-media catalog contains a list of files and folders that have been backed up in a backup set.
Open Database Connectivity (ODBC)
An application programming interface (API) that enables database applications to access data from a variety of existing data sources.
An Active Directory container object used within domains. An organizational unit is a logical container into which users, groups, computers, and other organizational units are placed. It can contain objects only from its parent domain. An organizational unit is the smallest scope to which a Group Policy object (GPO) can be linked, or over which administrative authority can be delegated.
For DNS and Active Directory, domains that are located in the namespace tree directly above other derivative domain names (child domains). For example, microsoft.com would be the parent domain for example.microsoft.com, a child domain.
An object in which another object resides. For example, a folder is a parent object in which a file, or child object, resides. An object can be both a parent and a child object. For example, a subfolder that contains files is both the child of the parent folder and the parent folder of the files.
A trust that is automatically established when a new domain (the child domain) is added, or becomes subordinate, to an existing domain (the parent domain). Parent-child trusts are transitive and two-way.
A calculated value that is used to reconstruct data after a failure. RAID-5 volumes stripe data and parity intermittently across a set of disks. When a disk fails, some server operating systems use the parity information together with the data on good disks to recreate the data on the failed disk.
A portion of a physical disk that functions as though it were a physically separate disk. After you create a partition, you must format it and assign it a drive letter before you can store data on it. On basic disks, partitions are known as basic volumes, which include primary partitions and logical drives. On dynamic disks, partitions are known as dynamic volumes, which include simple, striped, spanned, mirrored, and RAID-5 volumes.
partition boot sector
A portion of a hard disk partition that contains information about the disk`s file system and a short machine language program that loads the Windows operating system.
A feature that detects when a predefined counter value rises above or falls below the configured threshold and notifies a user by means of the Messenger service.
In System Monitor, a data item that is associated with a performance object. For each counter selected, System Monitor presents a value corresponding to a particular aspect of the performance that is defined for the performance object.
In System Monitor, a logical collection of counters that is associated with a resource or service that can be monitored.
performance object instance
In System Monitor, a term used to distinguish between multiple performance objects of the same type on a computer.
A rule associated with an object to regulate which users can gain access to the object and in what manner. Permissions are assigned or denied by the object`s owner.
The hard disk drive that contains the system and boot partitions used to start Windows.
primary domain controller (PDC)
In a Windows NT domain, a domain controller running Windows NT Server 4.0 or earlier that authenticates domain logon attempts and updates user, computer, and group accounts in a domain. The PDC contains the master read-write copy of the directory database for the domain. A domain has only one PDC. In a Windows 2000 or Windows Server 2003 domain, the PDC emulator master supports compatibility with client computers that are not running Windows 2000 or Windows XP Professional.
The group with which a Macintosh user usually shares documents stored on a server. You specify a user`s primary group in the user`s account. When a user creates a folder on the server, the user`s primary group is set by default as the folder`s associated group.
An authoritative DNS server for a zone that can be used as a point of update for the zone. Only primary masters have the ability to be updated directly to process zone updates, which include adding, removing, or modifying resource records that are stored as zone data. Primary masters are also used as the first sources for replicating the zone to other DNS servers.
A type of partition that you can create on basic disks. A primary partition is a portion of a physical disk that functions as though it were a physically separate disk. On basic master boot record (MBR) disks, you can create up to four primary partitions on a basic disk, or three primary partitions and an extended partition with multiple logical drives. On basic GUID partition table (GPT) disks, you can create up to 128 primary partitions. Also known as a volume.
A copy of the zone that is administered locally.
The source code that contains both the data to be printed and the commands for print. Print jobs are classified into data types based on what modifications, if any, the spooler must make to the job for it to print correctly.
The component that, working in conjunction with the printer driver, receives and alters print jobs, as necessary, according to their data type to ensure that the jobs print correctly.
A computer that is dedicated to managing the printers on a network. The print server can be any computer on the network.
Print Server for Macintosh
A service that enables Macintosh clients to send and spool documents to printers attached to a computer running Windows NT Server; Windows 2000 Server; or an operating system in the Windows Server 2003 family, excluding 64-bit editions, and that enables clients to send documents to printers anywhere on an AppleTalk network. Also known as MacPrint.
Software that accepts a document sent to a printer and then stores it on disk or in memory until the printer is ready for it.
Print Spooler resource
Printer queues providing access to a network printer connected to the network by an IP address rather than by an individual name. Print spoolers are supported as cluster resources by a Resource DLL.
A device that puts text or images on paper or other print media. Examples are laser printers or dot-matrix printers.
Printer Control Language (PCL)
The page-description language (PDL) developed by Hewlett-Packard for their laser and inkjet printers. Because of the widespread use of laser printers, this command language has become a standard in many printers.
A program designed to allow other programs to work with a particular printer without concerning themselves with the specifics of the printer`s hardware and internal language. By using printer drivers that handle the subtleties of each printer, programs can communicate properly with a variety of printers.
A fault-tolerant volume with data and parity striped intermittently across three or more physical disks. Parity is a calculated value that is used to reconstruct data after a failure. If a portion of a physical disk fails, Windows recreates the data that was on the failed portion from the remaining data and parity. You can create RAID-5 volumes only on dynamic disks on computers running the Windows 2000 Server or Windows Server 2003 families of operating systems. You cannot mirror or extend RAID-5 volumes. In Windows NT 4.0, a RAID-5 volume was known as a striped set with parity.
A set of security principles, in a non-Windows networked environment, that are subject to Kerberos authentication.
An identifying prefix or suffix appended to a user name to enable appropriate routing and authentication during a remote logon process.
A trust between non-Windows Kerberos V5 realms, such as a UNIX realm, and Active Directory domains. Realm trusts can be transitive, nontransitive, one-way, or two-way.
Redundant Array of Independent Disks (RAID)
A method used to standardize and categorize fault-tolerant disk systems. RAID levels provide various mixes of performance, reliability, and cost. Some servers provide three of the RAID levels: Level 0 (striping), Level 1 (mirroring), and Level 5 (RAID-5).
In Active Directory replication, one instance of a logical Active Directory partition that is synchronized by means of replication between domain controllers that hold copies of the same directory partition. <i>Replica</i> can also refer to an instance of an object or attribute in a distributed directory. In the File Replication service (FRS), a computer that has been included in the configuration of a specific replica set.
One or more shared folders that participates in replication.
A folder that is kept synchronized on members of a replication group. A replicated folder has an associated local path on each member.
The process of copying updated data from a data store or file system on a source computer to a matching data store or file system on one or more destination computers to synchronize the data.
A set of servers that participates in the replication of one or more replicated folders.
In Active Directory replication, the delay between the time an update is applied to a given replica of a directory partition and the time it is applied to some other replica of the same directory partition. A server receives changes no sooner than either it is notified of a change from its neighbor in the same site or its periodic replication timer expires. Sometimes referred to as propagation delay.
A domain controller that acts as a replication source for a given domain controller. The Knowledge Consistency Checker (KCC) determines which servers are best suited to replicate with each other, and it generates the list of domain controllers that are candidates for replication partners from the list of domain controllers in the site on the basis of connectivity, history of successful replication, and matching of full and partial replicas. A domain controller has some number of direct replication partners with which it replicates for a given directory partition. The other domain controllers in the site replicate transitively with this domain controller.
Rules that define how and when replication is performed.
In Active Directory replication, the set of physical connections that domain controllers use to replicate directory updates among domain controllers within sites and between sites. In the File Replication service (FRS), the interconnections between replica set members. These interconnections determine the path that data takes as it replicates to all replica set members.
A measure of how well a computer, service, or application can grow to meet increasing performance demands. For server clusters, the ability to incrementally add one or more systems to an existing cluster when the overall load of the cluster exceeds its capabilities
The set of definitions for the universe of objects that can be stored in a directory. For each object class, the schema defines which attributes an instance of the class must have, which additional attributes it can have, and which other object classes can be its parent object class.
A domain controller that holds the schema operations master role in Active Directory. The schema master performs write operations to the directory schema and replicates updates to all other domain controllers in the forest. At any time, the schema master role can be assigned to only one domain controller in the forest.
A range of IP addresses that are available to be leased or assigned to DHCP clients by the DHCP service.
scope of influence
In a domain environment, a site, domain, or organizational unit; in a workgroup environment, the local disk.
scope of management (SOM)
In Group Policy, any Active Directory container to which you can link a Group Policy object (GPO). These containers can be sites, domains, or organizational units.
A specific virtual IP address assigned to a Network Load Balancing cluster (the “primary cluster”). The secondary cluster`s virtual IP address is different than the primary cluster`s virtual IP address. Secondary clusters allow you to configure an independent set of port rules for each virtual IP address in your Network Load Balancing (primary) cluster. Also known as a virtual cluster.
The practice of logging on by using one security context and then, within the initial logon session, authenticating and using a second account. In Windows 2000, Windows XP Professional, and the Windows Server 2003 family, secondary logon is enabled by the RunAs.exe program and service.
Secure Sockets Layer (SSL)
A proposed open standard for establishing a secure communications channel to prevent the interception of critical information, such as credit card numbers. Primarily, it enables secure electronic financial transactions on the World Wide Web, although it is designed to work on other Internet services as well.
A computer that provides shared resources, such as files or printers, to network users.
Application software running on a cluster node, regardless of whether it does service registration.
A group of computers, known as nodes, working together as a single system to ensure that mission-critical applications and resources remain available to clients. A server cluster presents the appearance of a single server to a client.
In Active Directory Federation Services (ADFS), a collection of load-balanced federation servers, federation server proxies, or Web servers hosting the ADFS Web Agent.
Server for NIS
A feature of Windows that enables a Windowsbased Active Directory domain controller to administer Network Information Service (NIS) networks.
Server Message Block (SMB)
A file-sharing protocol designed to allow networked computers to transparently access files that reside on remote systems over a variety of networks. The SMB protocol defines a series of commands that pass information between computers. SMB uses four message types: session control, file, printer, and message.
Server Operators group
A group whose members can manage all domain controllers in a single domain. This group does not exist on workstations, stand-alone servers, or member servers. Administrative tasks that can be performed by members of this group include logging on locally, creating and deleting network shared resources, starting and stopping services, backing up and restoring files, formatting the hard disk of the computer, and shutting down the computer.
The AppleTalk zone on which a server appears. On a Phase 2 network, a server appears in the default zone of the server`s default network.
Server-Gated Cryptography (SGC)
An extension of Secure Sockets Layer (SSL) that enables organizations, such as financial institutions, that have export versions of Internet Information Services (IIS) to use strong encryption (for example, 128-bit encryption).
A program, routine, or process that performs a specific system function to support other programs, particularly at a low (close to the hardware) level. When services are provided over a network, they can be published in Active Directory, facilitating service-centric administration and usage. Some examples of services are the Security Accounts Manager service, File Replication service, and Routing and Remote Access service.
service (SRV) resource record
A DNS resource record used to identify computers that host specific services, specified in RFC 2782. SRV resource records are used to locate domain controllers for Active Directory.
Service Advertising Protocol (SAP)
A NetWare protocol used to identify the services and addresses of servers attached to the network. When a server starts, it uses the protocol to advertise its service. When the same server goes offline, it uses the protocol to announce that it is no longer available. NWLink IPX/SPX/NetBIOS Compatible Transport Protocol (NWLink) uses SAP to locate NetWare servers and services.
A software upgrade to an existing software distribution that contains updated files consisting of patches and hot fixes.
To make resources, such as folders and printers, available to others.
A folder on another computer that has been made available for other people to use on the network.
shared folder permissions
Permissions that restrict a shared resource`s availability over the network to only certain users.
A printer that receives input from more than one computer. For example, a printer attached to another computer on the network can be shared so that it is available for you to use. Also called a network printer.
Any device, data, or program that is used by more than one program or one other device. For Windows, shared resource refers to any resource that is made available to network users, such as folders, files, printers, and named pipes. Shared resource can also refer to a resource on a server that is available to network users.
A file that is handled in a way that requires much less disk space than would otherwise be needed. Sparse support allows an application to create very large files without committing disk space for those regions of the file that contain only zeros. For example, you can use sparse support to work with a 42-GB file in which you need to write data only to the first 64 KB (the rest of the file is zeroed).
On NTFS volumes, a custom set of permissions. You can customize permissions on files and directories by selecting the individual components of the standard sets of permissions.
storage area network (SAN)
A set of interconnected devices (such as disks and tapes) and servers that are connected to a common communication and data transfer infrastructure such as Fibre Channel.
A server that runs Windows 2000 or Windows Server 2003, but does not participate in a domain. A stand-alone server has only its own database of users, and it processes logon requests by itself. A stand-alone server does not share account information with other computers and cannot provide access to domain accounts, but it can participate in a workgroup.
A DNS domain located directly beneath another domain name (the parent domain) in the namespace tree. For example, example.microsoft.com would be a subdomain of the domain microsoft.com. Also called child domain.
system default profile
The user profile that is loaded when Windows is running and no user is logged on. When the Begin Logon dialog box is visible, the system default profile is loaded.
A disk that contains the MS-DOS system files necessary to start MS-DOS.
Files used by Windows to load, configure, and run the operating system. Generally, system files must never be deleted or moved.
A menu that contains commands you can use to manipulate a window or close a program. You click the program icon at the left of the title bar to open the System menu.
The partition that contains the hardware-specific files needed to load Windows (for example, Ntldr, Osloader, Boot.ini, Ntdetect.com). The system partition can be, but does not have to be, the same as the boot partition.
A Windows NT 4.0-style policy based on registry settings made using Poledit.exe, the System Policy Editor.
In Backup, a collection of system-specific data maintained by the operating system that must be backed up as a unit. It is not a backup of the entire system. The System State data includes the registry, COM+ Class Registration database, system files, boot files, and files under Windows File Protection. For servers, the System State data also includes the Certificate Services database (if the server is a certificate server). If the server is a domain controller, the System State data also includes the Active Directory database and the SYSVOL directory. If the server is a node in a cluster, it includes the Cluster database information. The IIS Metabase is included if Internet Information Services (IIS) is installed.
Storage locations for data that are defined by the operating system and that are the same regardless of who is logged on at the computer. (Users who are also members of the Administrators group can add new variables or change the values.)
The volume that contains the hardware-specific files that are needed to load Windows on x86-based computers with a basic input/output system (BIOS). The system volume can be, but does not have to be, the same volume as the boot volume.
The path and folder name where the Windows system files are located. Typically, this is C:\Windows, although you can designate a different drive or folder when you install Windows. You can use the value %systemroot% to replace the actual location of the folder that contains the Windows system files. To identify your systemroot folder, click Start, click Run, type %systemroot%, and then click OK.
Systems Management Server (SMS)
A Microsoft product that includes inventory collection, software deployment, and diagnostic tools. SMS automates the task of upgrading software, allows remote problem solving, provides asset management information, and monitors software usage, computers, and networks.
A shared directory that stores the server copy of the domain`s public files, which are replicated among all domain controllers in the domain.
The underlying technology that enables Remote Desktop, Remote Assistance, and Terminal Server.
user authentication module (UAM)
A software component that prompts clients for their user names and passwords.
Temporary storage used by a computer to run programs that need more memory than it has. For example, programs could have access to 4 gigabytes (GB) of virtual memory on a computer`s hard drive, even if the computer has only 32 megabytes (MB) of random access memory (RAM). The program data that does not currently fit in the computer`s memory is saved into paging files.
Virtual Memory Size
In Task Manager, the amount of virtual memory, or address space, committed to a process.
A computer that is maintained by a system administrator or Internet service provider (ISP) and that responds to requests from a user’s browser.
Web Services (WS-*)
The specifications for a Web Services Architecture that is based on industry standards such as Simple Object Access Protocol (SOAP); XML; Web Service Description Language (WSDL); and Universal Description, Discovery, and Integration (UDDI). WS-* provides a foundation for delivering complete, interoperable business solutions for the extended enterprise, including the ability to manage federated identity and security.
Web Services Security (WS-Security)
A series of specifications that describe how to attach signature and encryption headers to Simple Object Access Protocol (SOAP) messages. In addition, WS-Security describes how to attach security tokens, including binary security tokens such as X.509 certificates and Kerberos tickets, to messages. In Active Directory Federation Services (ADFS), WS-Security is used when Kerberos signs security tokens.
A simple grouping of computers, intended only to help users find such things as printers and shared folders within that group. Workgroups in Windows do not offer the centralized user accounts and authentication offered by domains.