Windows 2000 Glossary

Adapted, with permission, from Sean Deuby, Windows 2000 Server: Planning and Migration (Macmillan Technical Publishing, 1999).

Windows 2000 (Win2K) introduces dozens of new acronyms and uses many common Windows NT acronyms. This glossary defines the most common acronyms and terms associated with Win2K. For more information about Win2K terminology, see Microsoft's Win2K Server Glossary ( server/en/glossary_srv.htm), Microsoft's hardware glossary ( hwdev/glossary.htm) and acronym list ( hwdev/acronym.htm), PC Webopaedia (, and Windows NT Magazine's online glossary ( glossary.cfm?action=alpha).

A: Address record. A DNS resource record that maps a FQDN to an IP address.

ACE: Access control entry. The basic unit of NT security. ACEs control access to NTFS and AD objects, printers, and Registry keys. ACEs consist of a SID, which represents a security principal such as a user or group, and an access mask, which defines the access rights of that SID. A collection of ACEs that control access to an object is an ACL.

ACL: Access control list. A collection of ACEs that define the access rights to an NT object.

ACPI: Advanced Configuration and Power Interface. The successor to Advanced Power Management (APM); lets the OS rather than the BIOS control computer hardware power consumption.

AD: Active Directory. Win2K's directory service; AD is a hierarchical namespace that serves as a Win2K network's backbone. The service uses a multimaster replication model in which each domain controller maintains a read-write copy of the directory. AD is highly scalable.

ADSI: Active Directory Service Interfaces. An API to simplify accessing AD objects.

Attribute: A characteristic of an AD object; often called a property in Win2K, especially in reference to replication.

Basic disk: Win2K's default logical disk partition configuration. A basic disk can contain primary partitions and extended partitions with logical drives. By default, Win2K disks are basic disks until you convert them to dynamic disks.

CA: Certificate Authority. A service such as Microsoft Certificate Server that issues digital certificates.

CDFS: CD-ROM File System. The file system used on PC CD-ROMs, as defined by the International Organization for Standardization (ISO) computer standard 9660.

Child domain: A Win2K domain whose DNS name is subordinate to another domain. For example, is a child domain of Also called a subdomain.

CIFS: Common Internet File System. CIFS defines a standard remote file-system access protocol for use over the Internet, letting groups of users work together and share documents across the Internet or within their corporate intranets.

CLDAP: Connectionless LDAP. A UDP-like protocol for directory service communications; doesn't require a session.

Cluster: Individual computers connected to act as one computer.

Connection object: A unidirectional replication path between two domain controllers. The bidirectional ring in AD replication requires two connection objects.

Container: An AD object that holds groups of objects and other containers.

CSP: Cryptographic Service Provider. Code that creates, destroys, and uses keys to perform a variety of cryptographic operations.

DCPROMO: The wizard that promotes a Win2K member server or standalone server to a domain controller. Running this program on a domain controller demotes the machine to a member server or standalone server.

DDNS: Dynamic DNS. DHCP and Win2K clients dynamically update DNS records instead of using the traditional method of manually or programmatically adding the records to (static) DNS zone files.

Delegation: The capability whereby a higher administrative authority grants specific rights to groups and individuals.

Dfs: Distributed file system. A Win2K component that abstracts the \\server\share resource location convention to a logical hierarchy of directories that the systems administrator defines.

DHCP: Dynamic Host Configuration Protocol. A protocol for assigning dynamic IP addresses on a network. DHCP can also assign network options, such as default gateways, WINS servers, and DNS servers.

Digital certificate: An attachment to a data stream that confirms the sender's identity or that encrypts the data.

DN: Distinguished name. A unique description of the object and its path in AD. For example, /O=Internet/DC=COM/DC=Intel/ CN=Users/CN=Sean Deuby.

DNS: Domain Name System. The Internet's name-to-IP-address resolution system.

Domain tree: A Win2K domain hierarchy, connected by transitive trusts that form a contiguous namespace.

Downlevel trust: A trust explicitly established between a Win2K domain and an NT 4.0 domain.

DSA: Directory service agent. The process that manages AD's physical storage.

DSCLIENT: Directory Service Client. An add-on to make Windows 9x clients marginally AD aware.

Dynamic disk: A disk that supports volume sets after you use Win2K's Disk Management utility to convert the disk from basic to dynamic storage. Only Win2K can use dynamic disks, and dynamic disks can't contain partitions or logical drives.

EFS: Encrypting File System. A new feature of NTFS 5.0 that adds encryption to a file or directory.

EMA: Enterprise Memory Architecture. A Win2K improvement that lets applications address as much as 64GB of virtual memory.

Encryption: The process of taking readable text (plaintext) and rendering it unreadable (ciphertext) by applying an encryption algorithm.

Explicit trust: A trust you manually establish between two Win2K domains or between a Win2K domain and a downlevel domain (in addition to their built-in transitive trusts with each other, if they're in the same forest).

First-layer domain: A Win2K domain whose parent domain is the root domain.

Folder: A component of an organizational structure that organizes files on the hard disk. Also called a directory, and typically represented by a folder icon.

Forest: One or more domain trees that don't form a contiguous namespace but that share a common schema, configuration, and global catalog.

FQDN: Fully Qualified Domain Name. A DNS term that describes a host name plus the full path, listing all domain memberships from left to right. For example,

FSMO: Flexible single master object. The master copy for certain internal AD functions that require one authoritative master, such as schema changes and PDCs for NT 4.0 and earlier clients. Microsoft is phasing out the term FSMO, in favor of operations master.

GINA: Graphical Identification and Authentication. The subsystem that handles the logon presentation to the user.

Global Catalog: An index containing every AD object but only a few attributes of each object. Helps users and applications locate the most commonly used objects and attributes within a forest.

GPO: Group Policy Object. Group Policies let you define settings for groups of users and computers to simplify the management of numerous objects. Groups can contain users, computers, and other groups.

GUID: Globally unique ID. A unique (i.e., never duplicated) 128-bit number that identifies an AD object.

HSM: Hierarchical Storage Management. A data storage system that automatically moves data between high-cost and low-cost media, based on parameters the administrator sets.

Inheritance: The capability of a child object to automatically acquire specific rights from a parent object.

IP address: A numbering method to uniquely identify a node and to specify routing information on a network using the TCP/IP protocol. Each node on the network must have a unique IP address that consists of the network ID and a unique host ID that the network administrator assigns.

IPSec: IP Security. IP-level security for authentication and encryption.

KCC: Knowledge Consistency Checker. An AD function that monitors and dynamically configures replication connection objects between domain controllers.

KDC: Key Distribution Center. A Kerberos function, running on every domain controller, that controls the distribution of keys and tickets.

Kerberos: An authentication protocol, defined by the Internet Engineering Task Force (IETF) in Request For Comments (RFC) 1510 and characterized by distributed, mutual authentication of client and server.

Key: A password, usually encrypted. Keys can be publicly available.

Key pair: A public key and a private key, used together in PKI to encrypt and decrypt data.

LDAP: Lightweight Directory Access Protocol. A small and fast protocol, based on X.500's Directory Access Protocol, that is the default protocol for communication with AD.

MDHCP: Multicast DHCP. An extension of DHCP that automatically distributes multicast address configurations to network clients.

MDI: Multiple-document interface. A user interface (UI) that the MMC and other utilities use. The MMC's MDI lets you load more than one independently running snap-in into the management window.

MFT: Master File Table. The relational database at the heart of the NTFS volume structure that contains all the information about files and directories on that volume. Two copies of the MFT exist on every NTFS volume.

MMC: Microsoft Management Console. A user interface (UI) framework to which you add snap-ins to perform management tasks.

Mutual authentication: A feature of authentication protocols such as Kerberos. The client and server must prove their identity to each other before authentication proceeds.

Namespace: A bounded area in which a name can be resolved. In AD, the namespace is equal to the directory tree, within which DNS resolves names.

NC: Naming context. The AD unit of replication. A naming context defines AD objects' replication boundaries.

NSS: Native Structured Storage. A Win2K feature for storing ActiveX documents.

NTLM: NT LAN Manager. The primary NT 4.0 security authentication protocol.

Object: A collection of attributes or characteristics that represents a self-contained entity (e.g., a user).

OID: Object identifier. A globally (i.e., worldwide) unique identifier required by Open System Interconnection (OSI) International Standards and Recommendations to identify an X.500 object.

Parent domain: A Win2K domain that has another domain subordinate to it in the DNS namespace. For example, the domain is a parent domain of the domain

PKI: Public key infrastructure. A system of digital certificates, certificate authorities, and other registration authorities that verify and authenticate each party's validity in an electronic transaction.

Plaintext: Unencrypted data.

Private key: Part of PKI (i.e., one half of a key pair). Decrypts data that the same user's public key encrypted.

Property: A characteristic of an object. Often used interchangeably with attribute.

PTR record: Pointer record. A DNS resource record that maps an IP address to a (fully qualified domain) name. Often referred to as a reverse lookup record.

Public key: Part of PKI (i.e., one half of a key pair). Encrypts data that the user's private key must then decrypt.

Replication topology: The configuration of the replication scheme between domain controllers.

RID: Relative Identifier. A component of the SID.

Root domain: The top-level domain in a Win2K domain tree. Also the top-level DNS domain on the Internet.

RR: Resource Record. A DNS zone file entry. DNS RRs include Start of Authority, Name Server, Mail Exchange, Host, CNAME, and SRV. Each RR describes different types of information about hosts (i.e., computers) in the DNS domain. Win2K uses DNS as its location service to discover network resources.

RRAS: Routing and Remote Access Service. Win2K's successor to RAS; includes routing functionality especially useful to small office environments.

RSS: Remote Storage Service. HSM for Win2K.

SAS: Secure Attention Sequence. Otherwise known as the three-finger salute: Ctrl+Alt+Del.

Schema: The definition of all the object types that AD can store.

Shortcut trust: An explicit trust to circumvent the trust referral process between directory trees.

SID: Security ID. A unique number that identifies a user or group in an NT domain.

Signed data: Data with a digital certificate attached as proof of origin or authenticity.

Site: A collection of domain controllers that have high-speed connections to optimize replication and logon traffic. AD defines sites by the subnets the domain controllers are in.

Site connector: The link (usually TCP/IP) over which replication between two sites occurs. You can use TCP/IP or SMTP to link two sites.

Site link: A means of weighting the relative cost of replication between sites.

Snap-in: A management object that you add to the MMC to handle tasks such as AD management and disk defragmentation.

SOA RR: Start of Authority Resource Record for a DNS zone.

Sparse file: A large file that has been preallocated but is mostly empty, such as a database log file.

SSP: Security Support Provider. NT protocol(s) that provide security services. In NT 4.0, NTLM is the only SSP. In Win2K, Kerberos, PKI, and NTLM are the SSPs.

SSPI: Security Support Provider Interface. The API set that applications use to access SSPs such as Kerberos or NTLM.

Ticket: A Kerberos object that contains user information, access rights, an expiration time, and preauthorization data (i.e., data that contains NT-specific security information).

TLD: Top-level domain. A DNS term that describes the top of the DNS domain hierarchy. An example Internet TLD is .com. An example intranet TLD is

Transitive trust: A trust between Win2K domains that allows referrals from one domain to another.

Tree: A group of domains that form a contiguous namespace and share a common schema, configuration, and global catalog. A tree's name is always the domain's DNS name at the tree's root (e.g.,

UDF: Universal disk format. The successor to CDFS. (Also stands for Uniqueness Database File, in automated installations.)

UDP: User Datagram Protocol. A TCP-related component that delivers data to the target network node but doesn't guarantee delivery (i.e., no acknowledgments) or that the data will be in order. Much like IP of TCP/IP.

UNC: Uniform naming convention. A convention that only Microsoft networks use, with the syntax \\server\share\directory\file.ext.

UPN: User Principal Name. A friendly name that references a user in AD. The UPN consists of the user's logon name and the DNS name of the domain where the user's object resides. For example, [email protected]

USB: Universal Serial Bus. A standard for serial device communication that supports Plug and Play (PnP).

USN: Update sequence number. A 64-bit unique number for tracking updates to AD properties. An integral component of the AD replication scheme.

WBEM: Web-Based Enterprise Management. Formerly WMI.

WINS: Windows Internet Naming Service. A Win2K or NT network service that provides NetBIOS over TCP/IP name registration and dynamic NetBIOS name-to-IP-address resolution services to network clients.

WMI: Windows Management Instrumentation. Open, environment-independent specifications that let you share information between management applications that run in similar and dissimilar OS environments.

X.500: A comprehensive but cumbersome directory information model. Many directories are derived from X.500 (e.g., AD) but are not fully X.500 compliant.

X.509: A digital certificate standard that Kerberos uses in Win2K.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.