A
access control -- the management of permissions for logging on to a computer or network.
ACE -- see access control entry.
access control entry (ACE) -- each ACE contains a security identifier (SID), which identifies the principal (user or group) to whom the ACE applies, and information on what type of access the ACE grants or denies.
access control list (ACL) -- a set of data associated with a file, directory, or other resource that defines the permissions that users and/or groups have for accessing it. In the Active Directory™ service, an ACL is a list of access control entries (ACEs) stored with the object it protects. In the Windows NT® operating system, an ACL is stored as a binary value, called a security descriptor.
ACL -- see access control list.
Active Directory -- a structure supported by Windows® 2000 that lets any object on a network be tracked and located. Active Directory is the directory service used in Windows 2000 Server and provides the foundation for Windows 2000 distributed networks.
Active Directory Service Interfaces (ADSI) -- a client-side product based on the Component Object Model (COM). ADSI defines a directory service model and a set of COM interfaces that enable Windows NT and Windows 95 client applications to access several network directory services, including Active Directory. ADSI allow applications to communicate with Active Directory.
ADSI provides the means for directory service clients to use one set of interfaces to communicate with any namespace that provides an ADSI implementation. ADSI clients gain a simpler access to namespace services by using ADSI in place of the network-specific application programming interface (API) calls. ADSI conforms to and supports standard COM features. ADSI also defines interfaces and objects accessible from automation-compliant languages such as Java, Visual Basic®, and Visual Basic Scripting Edition (VBScript), as well as from non-automation-compliant languages such as C and C++, which enhance performance. In addition, ADSI supplies its own OLE database provider, and so fully supports any clients already using an OLE database, including those using ActiveX® technologies.
ADSI -- see Active Directory Service Interfaces.
attribute -- a single property of an object. An object is described by the values of its attributes. For example, a car can be described by its attributes: make, model, color, and so on. The term attribute is often used interchangeably with property, which means the same thing. Attributes are also data items used to describe the objects that are represented by the classes defined in the schema. Attributes are defined in the schema separately from the classes; this allows a single attribute definition to be applied to many classes. See also object.
authentication -- verifying the identity of a user who is logging on to a computer system or verifying the integrity of a transmitted message.
B
backup domain controller (BDC) -- in a Windows NT Server 4.0 or earlier domain, a computer running Windows NT Server that receives a copy of the domain’s directory database, which contains all account and security policy information for the domain. The copy is synchronized periodically and automatically with the master copy on the primary domain controller (PDC). Backup domain controllers also authenticate user logons and can be promoted to function as PDCs as needed. Multiple backup domain controllers can exist on a domain.
In a Windows 2000 domain, backup domain controllers are not required; all domain controllers are peers, and all can perform maintenance on the directory. Windows NT 4.0 and Windows NT 3.51 backup domain controllers can participate in a Windows 2000 domain when it is running in mixed mode. See also domain controller, primary domain controller.
C
container -- a special type of Active Directory object. A container is like other directory objects in that it has attributes and is part of the Active Directory namespace. However, unlike other objects, it does not usually represent something concrete. It is the container for a group of objects and other containers. See also object.
D
database layer -- an architectural layer of Active Directory that isolates the upper layers of the directory service from the underlying database system by exposing application programming interfaces (APIs) to the Directory System Agent (DSA) layer so that no calls are made directly to the Extensible Storage Engine (ESE).
delegation -- allows a higher administrative authority to grant specific administrative rights for containers and subtrees to individuals and groups. This eliminates the need for domain administrators with sweeping authority over large segments of the user population. Access control entries (ACEs) can grant specific administrative rights on the objects in a container to a user or group. Rights are granted for specific operations on specific object classes via ACEs in the container’s Access Control List (ACL).
For example, to allow user “James Smith” to be an administrator of the "Corporate Accounting" organizational unit, you would add ACEs to the ACL on “Corporate Accounting” as follows:
“James Smith”; Grant; Create, Modify, Delete; Object-Class User
“James Smith”; Grant; Create, Modify, Delete; Object-Class Group
“James Smith”; Grant; Write; Object-Class User; Attribute Password
Now James Smith can create new users and groups in Corporate Accounting and set the passwords on existing users, but he cannot create any other object classes and he cannot affect users in any other containers (unless, of course, he is granted that access by ACEs on the other containers).
directory -- a hierarchical structure that stores information about objects on the network.
directory service -- such as Active Directory; provides the methods for storing directory data and making this data available to network users and administrators. For example, Active Directory stores information about user accounts, such as names, passwords, phone numbers, and so on, and enables other authorized users on the same network to access this information. See also Active Directory, directory partition.
directory-enabled networking (DEN) -- the management of network elements such as routers, applications, and users from a central repository of information about users, applications, and network resources.
directory partition -- a contiguous subtree of the directory that forms a unit of replication. A given replica is always a replica of some directory partition. Active Directory is made up of one or more directory partitions.
In Active Directory a single server always holds at least three directory partitions:
- The schema
- The configuration (replication topology and related metadata)
- One or more per-domain directory partitions (subtrees containing the actual objects in the directory)
The schema and configuration are replicated to every domain controller in a given forest. The per-domain directory partition is replicated only to domain controllers for that domain.
distinguished name -- identifies the domain that holds the object as well as the complete path through the container hierarchy by which the object is reached. Every object in the Active Directory has a unique distinguished name. A typical distinguished name might be: CN=JamesSmith,CN=Users,DC=Microsoft,DC=Com. This distinguished name identifies the “James Smith” user object in the Microsoft.com domain.
DNS -- see Domain Name System.
domain -- a single security boundary of a Windows NT-based computer network. Active Directory is made up of one or more domains. On a standalone workstation, the domain is the computer itself. A domain can span more than one physical location. Every domain has its own security policies and security relationships with other domains. When multiple domains are connected by trust relationships and share a common schema, configuration, and global catalog, they constitute a domain tree. Multiple domain trees can be connected together to create a forest. See also domain controller, domain local group.
domain controller -- a Windows NT-based server holding an Active Directory partition. See domain.
domain local group -- can contain users and global groups from any domain in the forest, universal groups, and other domain local groups in its own domain. A domain local group can only be used on ACLs in its own domain. See also domain, forest.
Domain Name System (DNS) -- hierarchical distributed database used for name/address translation and client-server rendezvous. Domain Name System is the namespace used on the Internet to translate computer and service names into TCP/IP addresses. Active Directory uses DNS as its location service, and so clients find domain controllers via DNS queries.
E
Extensible Storage Engine (ESE) -- the Active Directory database engine. ESE (Esent.dll) is an improved version of the Jet database that is used in Microsoft Exchange Server versions 4.x and 5.5. It implements a transacted database system, which means that it uses log files to ensure that committed transactions are safe.
F
forest -- a group of one or more Active Directory trees that trust each other. All trees in a forest share a common schema, configuration, and global catalog. When a forest contains multiple trees, the trees do not form a contiguous namespace. All trees in a given forest trust each other through transitive bidirectional trust relationships. Unlike a tree, a forest does not need a distinct name. A forest exists as a set of cross-referenced objects and trust relationships known to the member trees. Trees in a forest form a hierarchy for the purposes of trust. See also tree, global catalog.
G
global catalog (GC) -- the global catalog contains a partial replica of every Windows 2000 domain in the directory. The GC lets users and applications find objects in an Active Directory domain tree given one or more attributes of the target object. It also contains the schema and configuration of directory partitions. This means the global catalog holds a replica of every object in the Active Directory, but with only a small number of their attributes. The attributes in the global catalog are those most frequently used in search operations (such as a user’s first and last names, logon names, and so on), and those required to locate a full replica of the object. The GC allows users to find objects of interest quickly without knowing what domain holds them and without requiring a contiguous extended namespace in the enterprise. The global catalog is built automatically by the Active Directory replication system.
GC -- see global catalog.
global catalog server -- a Windows 2000 domain controller that holds a copy of the global catalog for the forest. See also global catalog.
global group -- can appear on ACLs anywhere in the forest and may contain users and other global groups from its own domain.
group -- see global group, domain local group, universal group, and Group Policy.
Group Policy -- refers to applying policy to groups of computers and/or users contained within Active Directory containers. The type of policy includes not only registry-based policy found in Windows NT Server 4.0, but is enabled by Directory Services to store many types of policy data, for example: file deployment, application deployment, logon/logoff scripts and startup/shutdown scripts, domain security, Internet Protocol security (IPSec), and so on. The collections of policies are referred to as Group Policy objects (GPOs).
Group Policy object (GPO) -- a virtual collection of policies. It is given a unique name, such as a globally unique identifier (GUID). GPOs store group policy settings in two locations: a Group Policy container (GPC) (preferred) and a Group Policy template (GPT). The GPC is an Active Directory object that stores version information, status information, and other policy information (for example, application objects). The GPT is used for file-based data and stores software policy, script, and deployment information. The GPT is located on the system volume folder of the domain controller.
A GPO can be associated with one or more Active Directory containers, such as a site, domain, or organizational unit. Multiple containers can be associated with the same GPO, and a single container can have more than one associated GPO.
In addition, by default every computer receives a local Group Policy object (LGPO) that contains only security-specific policies. It is also possible for the administrator to set and apply different local group policies on individual computers. This is useful for computers that are not members of a domain, or computers that the administrator wishes to exempt from Group Policy inherited from the domain. See Group Policy.
GPO -- see Group Policy object.
H
hierarchical namespace -- a namespace, such as the DNS namespace and the Active Directory namespace, that is hierarchically structured and provides rules that allow the namespace to be partitioned. See also namespace.
K
Kerberos -- a security system that authenticates users. Kerberos doesn’t provide authorization to services or databases; it establishes identity at logon, which is used throughout the session. The Kerberos protocol is the primary authentication mechanism in the Windows 2000 operating system.
Knowledge Consistency Checker (KCC) -- a built-in service that runs on all domain controllers and automatically establishes connections between individual machines in the same site. These are known as Windows 2000 Directory Service connection objects. An administrator may establish additional connection objects or remove connection objects. At any point, however, where replication within a site becomes impossible or has a single point of failure, the KCC will step in and establish as many new connection objects as necessary to resume Active Directory replication.
L
Lightweight Directory Access Protocol (LDAP) -- a protocol used to access a directory service. LDAP support is currently being implemented in Web browsers and e-mail programs, which can query an LDAP-compliant directory. LDAP is a simplified version of the Directory Access Protocol (DAP), which is used to gain access to X.500 directories. It is easier to code the query in LDAP than in DAP, but LDAP is less comprehensive. For example, DAP can initiate searches on other servers if an address is not found, while LDAP cannot in its initial specification. Lightweight Access Directory Protocol is the primary access protocol for Active Directory.
M
mixed mode -- allows domain controllers running both Windows 2000 and earlier versions of Windows NT to co-exist in the domain. In mixed mode, the domain features from previous versions of Windows NT Server are still enabled, while some Windows 2000 features are disabled. Windows 2000 Server domains are installed in mixed mode by default. In mixed mode the domain may have Windows NT 4.0 backup domain controllers present. Nested groups are not supported in mixed mode. Compare native mode.
multi-master replication -- a feature of Active Directory that provides and maintains copies of the directory across multiple servers in a domain. Since all replicas of a given directory partition are writable, updates can be applied to any replica of a given partition. The Active Directory replication system propagates the changes from a given replica to all other replicas. Replication is automatic and transparent.
Active Directory multi-master replication propagates every object (such as users, groups, computers, domains, organization units, security policies, and so on) created on any domain controller to each of the other participating domain controllers. If one domain controller in a domain slows or fails, other domain controllers in the same domain can provide the necessary directory access because they contain the same directory data. See also replication.
N
native mode -- when all the domain controllers in a given domain are running Windows 2000 Server. This mode allows organizations to take advantage of new Active Directory features such as Universal groups, nested group membership, and inter-domain group membership. Compare mixed mode.
namespace -- a name or group of names that are defined according to some naming convention; any bounded area in which a given name can be resolved. Active Directory is primarily a namespace, as is any directory service. A telephone directory is also a namespace. The Internet uses a hierarchical namespace that partitions names into categories known as top-level domains such as .com, .edu, and .gov, which are at the top of the hierarchy.
name resolution -- the process of translating a name into some object or information that the name represents. A telephone book forms a namespace in which the names of telephone subscribers can be resolved into telephone numbers. The Windows NTFS file system forms a namespace in which the name of a file can be resolved into the file itself. Similarly, Active Directory forms a namespace in which the name of an object in the directory can be resolved into the object itself.
O
object -- a distinct, named set of attributes that represents something concrete, such as a user, a printer, or an application. The attributes hold data describing the thing that is identified by the directory object. Attributes of a user might include the user’s given name, surname, and e-mail address.
object identifier -- a number identifying an object class or attribute in a directory service. Object identifiers are issued by issuing authorities and form a hierarchy. An object identifier is represented as a dotted decimal string (for example, “1.2.3.4”). Enterprises (and individuals) can obtain a root object identifier from an issuing authority and use it to allocate additional object identifiers. For example, Microsoft has been issued the root object identifier of 1.2.840.113556. Microsoft manages further branches from this root internally. One of these branches is used to allocate an object identifier for Active Directory classes, another for Active Directory attributes, and so on.
Most countries in the world have an identified national registration authority (NRA) responsible for issuing object identifiers to enterprises. In the United States, the NRA is the American National Standards Institute (ANSI). An enterprise can register a name for the object identifier as well. There is a fee associated with both root object identifiers and registered names. For details, contact the NRA for your country. The International Standards Organization recognizes NRAs and maintains a list of contacts on the ISO Web site. See also object, attribute.
organizational unit (OU) -- a container object that is an Active Directory administrative partition. OUs can contain users, groups, resources, and other OUs. Organizational Units enable the delegation of administration to distinct subtrees of the directory.
OU -- see organizational unit.
P
parent-child trust relationship -- the two-way, transitive trust relationship that is established when you add a domain to an Active Directory tree. The Active Directory installation process automatically creates a trust relationship between the domain you are creating (the new child domain) and the parent domain.
partition -- a complete unit of replication within the store. See also directory partition.
PDC -- see primary domain controller.
PKI -- see public key infrastructure.
policy -- the set of rules that govern the interaction between a subject and an object. For example, when an Internet Protocol (IP) security agent (the subject) starts on a given computer (the object) a policy determines how that computer will participate in secure IP connections.
policy engine -- software that executes at decision points to perform policy selection, to evaluate conditions, and determine what actions must be performed. The concept of the policy engine is quite diffuse; policy engine functionality will often be spread through many parts of the distributed system. For example, Windows 2000 provides a policy infrastructure that includes a policy store (Group Policy object), a policy engine that runs as part of user logon (WinLogon), and an API for services to invoke the policy selection process on demand (GetGPOList). Some applications and services will use WinLogon integration to apply their policies to users; others will use GetGPOList to implement their own policy decision and enforcement points.
primary domain controller (PDC) -- in a Windows NT Server 4.0 or earlier domain, the PDC is the computer running Windows NT Server that authenticates domain logons and maintains the directory database for a domain. The PDC tracks changes made to accounts of all computers on a domain. It is the only computer to receive these changes directly. A domain has only one primary domain controller. In Windows 2000, one of the domain controllers in each domain is identified as the PDC for compatibility with downlevel clients and servers. See domain controller, backup domain controller.
profile -- a collection of information selected and applied to the interaction between a subject and an object by an action that is the outcome of evaluation of policy conditions. The content of a profile is specific to the subjects and objects in question. Profiles can further simplify administration by reducing the total number of policies. For example, a given server application may have a large number of configuration parameters. A policy for that application can reference the profile; this is simpler than using multiple policies to accomplish the same thing. See policy, object.
public key infrastructure (PKI) -- a policy for establishing a secure method for exchanging information within an organization, an industry, or a nation. PKI is also an integrated set of services and administrative tools for creating, deploying, and managing public-key-based applications. It includes the cryptographic methods, the use of digital certificates and certification authorities (CAs), and the system for managing the process.
R
relative distinguished name (RDN) -- the part of the name of an object that is an attribute of the object itself. The attribute that provides the RDN for an object is referred to as the naming attribute. See also distinguished name.
replication -- in database management, the function that keeps distributed databases synchronized by routinely copying the entire database or subsets of the database to other servers in the network. There are several methods of replication, including primary site replication, shared or transferred ownership replication, symmetric replication, (also known as update-anywhere or peer-to-peer replication), and failover replication. See the Tech Encyclopedia for complete definitions of the different methods of replication.
Active Directory provides multi-master replication, which is a form of symmetric replication (see multi-master replication).
S
schema -- the definition of an entire database; the universe of objects that can be stored in the directory is defined in the schema. For each object class, the schema defines what attributes an instance of the class must have, what additional attributes it may have, and what object class can be a parent of the current object base. See also object, attribute.
schema master -- the domain controller assigned to control all updates to the schema within a forest. At any time, there can be only one schema master in the forest. See also domain controller, forest, schema.
SID -- security identifier. See also access control entry.
single-master operations -- Active Directory operations that are single-master, that is, not permitted to occur at different places in the network at the same time. Examples of these operations include:
- Relative identifier (RID) allocation
- Schema modification
- Primary domain controller (PDC) election
- Certain infrastructure changes
site -- a location in a network holding Active Directory servers. A site is defined as one or more well connected TCP/IP subnets. Well-connected means that network connectivity is highly reliable and fast (LAN speeds, 10 MM bits-per-second or greater).
Sites play a major role in the Active Directory replication service, which differentiates between replication using a local network connection (intra-site replication) and replication over a slower wide area network (WAN) link (inter-site replication). Administrators use the Active Directory Sites and Services Manager snap-in to administer replication topology for both intra- and inter-site replication.
store -- the physical storage for each Active Directory replica. When an object is stored in Active Directory, the system will select a copy of the store and write the object there. The replication system will replicate the object on all other replicas. The store is implemented using the Extensible Storage Engine (ESE). See also Extensible Storage Engine.
T
transitive trust -- the trust relationship that inherently exists between Windows 2000 domains in a domain tree or forest, or between trees in a forest, or that can exist between forests. When a domain joins an existing forest or domain tree, a transitive trust is automatically established. Transitive trusts are always two-way relationships. This series of trusts, between parent and child domains in a domain tree and between root domains of domain trees in a forest, allows all domains in a forest to trust each other for the purposes of authentication. For example, if domain A trusts domain B and domain B trusts domain C, then domain A trusts domain C. See also tree, forest.
tree -- a set of Windows NT domains connected together through transitive, bidirectional trust, sharing a common schema, configuration, and global catalog. The domains must form a contiguous hierarchical namespace such that if a.com is the root of the tree, b.a.com is a child of a.com, c.b.a.com is a child of b.a.com, and so on. See also schema, forest.
U
universal group -- the simplest form of group. Universal groups can appear in ACLs anywhere in the forest, and can contain other universal groups, global groups, and users from anywhere in the forest. Small installations can use universal groups exclusively and not concern themselves with global and local groups.
W
well-connected -- sufficient connectivity to make your network and Active Directory useful to clients on your network. The precise meaning of the term is determined by your particular needs.
X
X.500 -- a set of standards defining a distributed directory service, developed by the International Standards Organization (ISO). | 
Active Directory设计和部署最佳实践