1.1 Glossary

msdn link

This document uses the following terms:

88 object class: An object class as specified in the X.500 directory specification ([X501] section 8.4.3). An 88 object class can be instantiated as a new object, like a structural object class, and on an existing object, like an auxiliary object class.

abstract object class: An object class whose only function is to be the basis of inheritance by other object classes, thereby simplifying their definition.

access check: A verification to determine whether a specific access type is allowed by checking a security context against a security descriptor.

access control entry (ACE): An entry in an access control list (ACL) that contains a set of user rights and a security identifier (SID) that identifies a principal for whom the rights are allowed, denied, or audited.

access control list (ACL): A list of access control entries (ACEs) that collectively describe the security rules for authorizing access to some resource; for example, an object or set of objects.

access mask: A 32-bit value present in an access control entry (ACE) that specifies the allowed or denied rights to manipulate an object.

account domain: A domain, identified by a security identifier (SID), that is the SID namespace for which a given machine is authoritative. The account domain is the same as the primary domain for a domain controller (DC) and is its default domain. For a machine that is joined to a domain, the account domain is the SID namespace defined by the local Security Accounts Manager [MS-SAMR].

ACID: A term that refers to the four properties that any database system must achieve in order to be considered transactional: Atomicity, Consistency, Isolation, and Durability [GRAY].

active: A state of an attributeSchema or classSchema object that represents part of the schema. It is possible to instantiate an active attribute or an active class. The opposite term is defunct.

Active Directory: The Windows implementation of a general-purpose directory service, which uses LDAP as its primary access protocol. Active Directory stores information about a variety of objects in the network such as user accounts, computer accounts, groups, and all related credential information used by Kerberos [MS-KILE]. Active Directory is either deployed as Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS), which are both described in [MS-ADOD]: Active Directory Protocols Overview.

Active Directory Domain Services (AD DS): A directory service (DS) implemented by a domain controller (DC). The DS provides a data store for objects that is distributed across multiple DCs. The DCs interoperate as peers to ensure that a local change to an object replicates correctly across DCs.  AD DS is a deployment of Active Directory [MS-ADTS].

Active Directory Lightweight Directory Services (AD LDS): A directory service (DS) implemented by a domain controller (DC). AD LDS is a deployment of Active Directory [MS-ADTS]. The most significant difference between AD LDS and Active Directory Domain Services (AD DS) is that AD LDS does not host domain naming contexts (domain NCs). A server can host multiple AD LDS DCs. Each DC is an independent AD LDS instance, with its own independent state. AD LDS can be run as an operating system DS or as a directory service provided by a standalone application (Active Directory Application Mode (ADAM)).

Advanced Encryption Standard (AES): A block cipher that supersedes the Data Encryption Standard (DES). AES can be used to protect electronic data. The AES algorithm can be used to encrypt (encipher) and decrypt (decipher) information. Encryption converts data to an unintelligible form called ciphertext; decrypting the ciphertext converts the data back into its original form, called plaintext. AES is used in symmetric-key cryptography, meaning that the same key is used for the encryption and decryption operations. It is also a block cipher, meaning that it operates on fixed-size blocks of plaintext and ciphertext, and requires the size of the plaintext as well as the ciphertext to be an exact multiple of this block size. AES is also known as the Rijndael symmetric encryption algorithm [FIPS197].

ambiguous name resolution (ANR): A search algorithm that permits a client to search multiple naming-related attributes on objects by way of a single clause of the form "(anr=value)" in a Lightweight Directory Access Protocol (LDAP) search filter. This permits a client to query for an object when the client possesses some identifying material related to the object but does not know which attribute of the object contains that identifying material.

application naming context (application NC): A specific type of naming context (NC), or an instance of that type, that supports only full replicas (no partial replicas). An application NC cannot contain security principal objects in Active Directory Domain Services (AD DS), but can contain security principal objects in Active Lightweight Directory Services (AD LDS). A forest can have zero or more application NCs in either AD DS or AD LDS. An application NC can contain dynamic objects. Application NCs do not appear in the global catalog (GC). The root of an application NC is an object of class domainDNS.

ASN.1: Abstract Syntax Notation One. ASN.1 is used to describe Kerberos datagrams as a sequence of components, sent in messages. ASN.1 is described in the following specifications: [ITUX660] for general procedures; [ITUX680] for syntax specification, and [ITUX690] for the Basic Encoding Rules (BER), Canonical Encoding Rules (CER), and Distinguished Encoding Rules (DER) encoding rules.

attribute: An identifier for a single or multivalued data element that is associated with a directory object. An object consists of its attributes and their values. For example, cn (common name), street (street address), and mail (email addresses) can all be attributes of a user object. An attribute's schema, including the syntax of its values, is defined in an attributeSchema object.

attribute syntax: Specifies the format and range of permissible values of an attribute. The syntax of an attribute is defined by several attributes on the attributeSchema object, as specified in [MS-ADTS] section 3.1.1.2. Attribute syntaxes supported by Active Directory include Boolean, Enumeration, Integer, LargeInteger, String(UTC-Time), Object(DS-DN), and String(Unicode).

AttributeStamp: The type of a stamp attached to an attribute.

authentication: The act of proving an identity to a server while providing key material that binds the identity to subsequent communications.

authorization: The secure computation of roles and accesses granted to an identity.

auxiliary object class: An object class that cannot be instantiated in the directory but can be either added to, or removed from, an existing object to make its attributes available for use on that object; or associated with an abstract or structural object class to add its attributes to that abstract or structural object class.

back link attribute: A constructed attribute whose values include object references (for example, an attribute of syntax Object(DS-DN)). The back link values are derived from the values of a related attribute, a forward link attribute, on other objects. If f is the forward link attribute, one back link value exists on object o for each object r that contains a value of o for attribute f. The relationship between the forward link attributes and back link attributes is expressed using the linkId attribute on the attributeSchema objects representing the two attributes. The forward link's linkId is an even number, and the back link's linkId is the forward link's linkId plus one. For more information, see [MS-ADTS] section 3.1.1.1.6.

back link value: The value of a back link attribute.

backup domain controller (BDC): A domain controller (DC) that receives a copy of the domain directory database from the primary domain controller (PDC). This copy is synchronized periodically and automatically with the primary domain controller (PDC). BDCs also authenticate user logons and can be promoted to function as the PDC. There is only one PDC or PDC emulator in a domain, and the rest are backup domain controllers.

base64 encoding: A binary-to-text encoding scheme whereby an arbitrary sequence of bytes is converted to a sequence of printable ASCII characters, as described in [RFC4648].

Basic Encoding Rules (BER): A set of encoding rules for ASN.1 notation. These encoding schemes allow the identification, extraction, and decoding of data structures. These encoding rules are defined in [ITUX690].

big-endian: Multiple-byte values that are byte-ordered with the most significant byte stored in the memory location with the lowest address.

binary large object (BLOB): A collection of binary data stored as a single entity in a database.

bridgehead domain controller (bridgehead DC): A domain controller (DC) that may replicate updates to or from DCs in sites other than its own.

broadcast: A style of resource location or data transmission in which a client makes a request to all parties on a network simultaneously (a one-to-many communication). Also, a mode of resource location that does not use a name service.

built-in domain: The security identifier (SID) namespace defined by the fixed SID S-1-5-32. Contains groups that define roles on a local machine such as Backup Operators.

built-in domain SID: The fixed SID S-1-5-32.

canonical name: A syntactic transformation of an Active Directory distinguished name (DN) into something resembling a path that still identifies an object within a forest. DN "cn=Peter Houston, ou=NTDEV, dc=microsoft, dc=com" translates to the canonical name "microsoft.com/NTDEV/Peter Houston", while the DN "dc=microsoft, dc=com" translates to the canonical name "microsoft.com/".

child naming context (child NC): Given naming contexts (NCs) with their corresponding distinguished names (DNs) forming a child and parent relationship, the NC in the child relationship is referred as the child NC. The parent of a child NC must be an NC and is referred to as the parent naming context (parent NC).

child object, children: An object that is not the root of its tree. The children of an object o are the set of all objects whose parent is o. See section 1 of [MS-ADTS] and section 1 of [MS-DRSR].

claim: An assertion about a security principal expressed as the n-tuple {Identifier, ValueType, m Value(s) of type ValueType} where m is greater than or equal to 1. A claim with only one Value in the n-tuple is called a single-valued claim; a claim with more than one Value is called a multi-valued claim.

code page: An ordered set of characters of a specific script in which a numerical index (code-point value) is associated with each character. Code pages are a means of providing support for character sets and keyboard layouts used in different countries. Devices such as the display and keyboard can be configured to use a specific code page and to switch from one code page (such as the United States) to another (such as Portugal) at the user's request.

Component Object Model (COM): An object-oriented programming model that defines how objects interact within a single process or between processes. In COM, clients have access to an object through interfaces implemented on the object. For more information, see [MS-DCOM].

computer object: An object of class computer. A computer object is a security principal object; the principal is the operating system running on the computer. The shared secret allows the operating system running on the computer to authenticate itself independently of any user running on the system. See security principal.

configuration naming context (config NC): A specific type of naming context (NC), or an instance of that type, that contains configuration information. In Active Directory, a single config NC is shared among all domain controllers (DCs) in the forest. A config NC cannot contain security principal objects.

connection: A link between two devices that uses the Simple Symmetric Transport Protocol (SSTP). Each connection can support one or more SSTP sessions.

constructed attribute: An attribute whose values are computed from normal attributes (for read) and/or have effects on the values of normal attributes (for write).

container: An object in the directory that can serve as the parent for other objects. In the absence of schema constraints, all objects would be containers. The schema allows only objects of specific classes to be containers.

control access right: An extended access right that can be granted or denied on an access control list (ACL).

Coordinated Universal Time (UTC): A high-precision atomic time standard that approximately tracks Universal Time (UT). It is the basis for legal, civil time all over the Earth. Time zones around the world are expressed as positive and negative offsets from UTC. In this role, it is also referred to as Zulu time (Z) and Greenwich Mean Time (GMT). In these specifications, all references to UTC refer to the time at UTC-0 (or GMT).

cross-forest trust: A relationship between two forests that enables security principals from any domain in one forest to authenticate to computers joined to any domain in the other forest.

crossRef object: An object residing in the partitions container of the config NC that describes the properties of a naming context (NC), such as its domain naming service name, operational settings, and so on.

DC functional level: A specification of functionality available in a domain controller (DC). See [MS-ADTS] section 6.1.4.2 for possible values and a mapping between the possible values and product versions.

default domain naming context (default domain NC): When Active Directory is operating as Active Directory Domain Services (AD DS), this is the default naming context (default NC) of the domain controller (DC). When operating as Active Directory Lightweight Directory Services (AD LDS), this NC is not defined.

default naming context (default NC): When Active Directory is operating as Active Directory Domain Services (AD DS), the default naming context (default NC) is the domain naming context (domain NC) whose full replica is hosted by a domain controller (DC), except when the DC is a read-only domain controller (RODC), in which case the default NC is a filtered partial NC replica. When operating as AD DS, a DC's default NC is the NC of its default NC replica, and the default NC contains the DC's computer object. When Active Directory is operating as AD LDS, the default NC is the naming context (NC) specified by the msDS-DefaultNamingContext attribute on the nTDSDSA object for the DC. See nTDSDSA object.

default schema: The schema of a given version of Active Directory, as defined by [MS-ADSC], [MS-ADA1], [MS-ADA2], and [MS-ADA3] for AD DS, and as defined by [MS-ADLS] for Active Directory Lightweight Directory Services (AD LDS).

defunct: A state of an attributeSchema or classSchema object that represents part of the schema. It is not possible to instantiate a defunct attribute or a defunct class. The opposite term is active.

deleted-object: An object that has been deleted, but remains in storage until a configured amount of time (the deleted-object lifetime) has passed, after which the object is transformed to a recycled-object. Unlike a recycled-object or a tombstone, a deleted-object maintains virtually all the state of the object before deletion, and can be undeleted without loss of information. Deleted-objects exist only when the Recycle Bin optional feature is enabled.

deleted-object lifetime: The time period that a deleted-object is kept in storage before it is transformed into a recycled-object.

digest: The fixed-length output string from a one-way hash function that takes a variable-length input string and is probabilistically unique for every different input string. Also, a cryptographic checksum of a data (octet) stream.

directory: A forest.

directory object: An Active Directory object, which is a specialization of the "object" concept that is described in [MS-ADTS] section 1 or [MS-DRSR] section 1, Introduction, under Pervasive Concepts. An Active Directory object can be identified by the objectGUID attribute of a dsname according to the matching rules defined in [MS-DRSR] section 5.50, DSNAME. The parent-identifying attribute (not exposed as an LDAP attribute) is parent. Active Directory objects are similar to LDAP entries, as defined in [RFC2251]; the differences are specified in [MS-ADTS] section 3.1.1.3.1.

directory service (DS): A service that stores and organizes information about a computer network's users and network shares, and that allows network administrators to manage users' access to the shares. See also Active Directory.

directory service agent (DSA): A term from the X.500 directory specification [X501] that represents a component that maintains and communicates directory information.

discretionary access control list (DACL): An access control list (ACL) that is controlled by the owner of an object and that specifies the access particular users or groups can have to the object.

distinguished name (DN): In Lightweight Directory Access Protocol (LDAP), an LDAP Distinguished Name, as described in [RFC2251] section 4.1.3. The DN of an object is the DN of its parent, preceded by the RDN of the object. For example: CN=David Thompson, OU=Users, DC=Microsoft, DC=COM. For definitions of CN and OU, see [RFC2256] sections 5.4 and 5.12, respectively.

DNS name: A fully qualified domain name (FQDN).

domain: A set of users and computers sharing a common namespace and management infrastructure. At least one computer member of the set must act as a domain controller (DC) and host a member list that identifies all members of the domain, as well as optionally hosting the Active Directory service. The domain controller provides authentication of members, creating a unit of trust for its members. Each domain has an identifier that is shared among its members. For more information, see [MS-AUTHSOD] section 1.1.1.5 and [MS-ADTS].

domain controller (DC): The service, running on a server, that implements Active Directory, or the server hosting this service. The service hosts the data store for objects and interoperates with other DCs to ensure that a local change to an object replicates correctly across all DCs. When Active Directory is operating as Active Directory Domain Services (AD DS), the DC contains full NC replicas of the configuration naming context (config NC), schema naming context (schema NC), and one of the domain NCs in its forest. If the AD DS DC is a global catalog server (GC server), it contains partial NC replicas of the remaining domain NCs in its forest. For more information, see [MS-AUTHSOD] section 1.1.1.5.2 and [MS-ADTS]. When Active Directory is operating as Active Directory Lightweight Directory Services (AD LDS), several AD LDS DCs can run on one server. When Active Directory is operating as AD DS, only one AD DS DC can run on one server. However, several AD LDS DCs can coexist with one AD DS DC on one server. The AD LDS DC contains full NC replicas of the config NC and the schema NC in its forest. The domain controller is the server side of Authentication Protocol Domain Support [MS-APDS].

domain functional level: A specification of functionality available in a domain. Must be less than or equal to the DC functional level of every domain controller (DC) that hosts a replica of the domain's naming context (NC). For information on defined levels, corresponding features, information on how the domain functional level is determined, and supported domain controllers, see [MS-ADTS] sections 6.1.4.2 and 6.1.4.3. When Active Directory is operating as Active Directory Lightweight Directory Services (AD LDS), domain functional level does not exist.

domain joined: A relationship between a machine and some domain naming context (domain NC) in which they share a secret. The shared secret allows the machine to authenticate to a domain controller (DC) for the domain.

domain local group: An Active Directory group that allows user objects, global groups, and universal groups from any domain as members. It can additionally include, and be a member of, other domain local groups from within its domain. A group object g is a domain local group if and only if GROUP_TYPE_RESOURCE_GROUP is present in g!groupType; see [MS-ADTS] section 2.2.12, "Group Type Flags". A security-enabled domain local group is valid for inclusion within access control lists (ACLs) from its own domain. If a domain is in mixed mode, then a security-enabled domain local group in that domain allows only user objects as members.

domain name: A domain name or a NetBIOS name that identifies a domain.

Domain Name System (DNS): A hierarchical, distributed database that contains mappings of domain names to various types of data, such as IP addresses. DNS enables the location of computers and services by user-friendly names, and it also enables the discovery of other information stored in the database.

domain naming context (domain NC): A specific type of naming context (NC), or an instance of that type, that represents a domain. A domain NC can contain security principal objects; no other type of NC can contain security principal objects. Domain NCs appear in the global catalog (GC). A domain NC is hosted by one or more domain controllers (DCs) operating as AD DS. In AD DS, a forest has one or more domain NCs. A domain NC cannot exist in AD LDS. The root of a domain NC is an object of class domainDNS; for directory replication [MS-DRSR], see domainDNS.

domain prefix: A security identifier (SID) of a domain without the relative identifier (RID) portion. The domain prefix refers to the issuing authority SID. For example, the domain prefix of S-1-5-21-397955417-626881126-188441444-1010 is S-1-5-21-397955417-626881126-188441444.

downlevel trust: A trust in which one of the peers is running Windows NT 4.0 operating system.

DSA GUID: The objectGUID of a DSA object.

dsname: A tuple that contains between one and three identifiers for an object. The term dsname does not stand for anything. The possible identifiers are the object's GUID (attribute objectGuid), security identifier (SID) (attribute objectSid), and distinguished name (DN) (attribute distinguishedName). A dsname can appear in a protocol message and as an attribute value (for example, a value of an attribute with syntax Object(DS-DN)). Given a DSName, an object can be identified within a set of NC replicas according to the matching rules defined in [MS-DRSR] section 5.49.

dynamic object: An object with a time-to-die (attribute msDS-Entry-Time-To-Die). The directory service garbage-collects a dynamic object immediately after its time-to-die has passed. The constructed attribute entryTTL gives a dynamic object's current time-to-live, that is, the difference between the current time and msDS-Entry-Time-To-Die. For more information, see [RFC2589].

entry: In Active Directory, a synonym for object.

existing-object: An object that is not a tombstone, deleted-object, or recycled-object.

expunge: To permanently remove an object from a naming context (NC) replica, without converting it to a tombstone.

Extended-Rights container: A container holding objects that correspond to control access rights. The container is a child of configuration naming context (config NC) and has relative distinguished name (RDN) CN=Extended-Rights.

File Replication Service (FRS): One of the services offered by a domain controller (DC), which is advertised through the Domain Controller Location protocol. The service being offered to clients is a replicated data storage volume that is associated with the default naming context (NC). The running or paused state of the FRS on a DC is available through protocols documented in [MS-ADTS] section 6.3.

filter: In the context of the Lightweight Directory Access Protocol (LDAP), the filter is one of the parameters in a search request. The filter specifies matching constraints for the candidate objects.

filtered attribute set: The subset of attributes that are not replicated to the filtered partial NC replica and the filtered GC partial NC replica. The filtered attribute set is part of the state of the forest and is used to control the attributes that replicate to a read-only domain controller (RODC). The searchFlags schema attribute is used to define this set.

filtered GC partial NC replica: An NC replica that contains a schema-specified subset of attributes for the objects. The attributes consist of the attributes in the GC partial attribute set (PAS), excluding those present in the filtered attribute set. A filtered GC partial NC replica is not writable; that is, it does not accept originating updates.

filtered partial NC replica: An NC replica that contains a schema-specified subset of attributes for the objects it contains. The subset of attributes consists of all the attributes of the objects, excluding those attributes in the filtered attribute set. A filtered partial NC replica is not writable; that is, it does not accept originating updates.

flexible single master operation (FSMO): A read or update operation on a naming context (NC), such that the operation must be performed on the single designated master replica of that NC. The master replica designation is "flexible" because it can be changed without losing the consistency gained from having a single master. This term, pronounced "fizmo", is never used alone; see also FSMO role, FSMO role owner, and FSMO object.

foreign principal object (FPO): A foreignSecurityPrincipal object.

forest: For Active Directory Domain Services (AD DS), a set of naming contexts (NCs) consisting of one schema naming context (schema NC), one configuration naming context (config NC), one or more domain naming contexts (domain NCs), and zero or more application naming contexts (application NCs). Because a set of NCs can be arranged into a tree structure, a forest is also a set containing one or several trees of NCs. For AD LDS, a set of NCs consisting of one schema NC, one config NC, and zero or more application NCs. (In Microsoft documentation, an AD LDS forest is called a "configuration set".)

forest functional level: A specification of functionality available in a forest. It must be less than or equal to the domain controller (DC) functional level of every DC in the forest. See [MS-ADTS] section 6.1.4.4 for information on how the forest functional level is determined.

forest root domain NC: For Active Directory Domain Services (AD DS), the domain naming context (domain NC) within a forest whose child is the forest's configuration naming context (config NC). The fully qualified domain name (FQDN) of the forest root domain NC serves as the forest's name.

forward link attribute: An attribute whose values include object references (for example, an attribute of syntax Object(DS-DN)). The forward link values can be used to compute the values of a related attribute, a back link attribute, on other objects. If an object o refers to object r in forward link attribute f, and there exists a back link attribute b corresponding to f, then a back link value referring to o exists in attribute b on object r. The relationship between the forward and back link attributes is expressed using the linkId attribute on the attributeSchema objects representing the two attributes. The forward link's linkId is an even number, and the back link's linkId is the forward link's linkId plus one. A forward link attribute can exist with no corresponding back link attribute, but not vice-versa. For more information, see [MS-ADTS].

forward link value: The value of a forward link attribute.

FSMO role: A set of objects that can be updated in only one naming context (NC) replica (the FSMO role owner's replica) at any given time. For more information, see [MS-ADTS] section 3.1.1.1.11. See also FSMO role owner.

FSMO role object: An object in a directory that represents a specific FSMO role. This object is an element of the FSMO role and contains the fSMORoleOwner attribute.

FSMO role owner: The domain controller (DC) holding the naming context (NC) replica in which the objects of a FSMO role can be updated.

full NC replica: A naming context (NC) replica that contains all the attributes of the objects it contains. A full replica accepts originating updates.

fully qualified domain name (FQDN): (1) An unambiguous domain name that gives an absolute location in the Domain Name System's (DNS) hierarchy tree, as defined in [RFC1035] section 3.1 and [RFC2181] section 11.

(2) In Active Directory, a fully qualified domain name (FQDN) (1) that identifies a domain.

garbage collection: The process of identifying logically deleted objects (also known as tombstones) and link values that have passed their tombstone lifetime, and then permanently removing these objects from a naming context (NC) replica. Garbage collection does not generate replication traffic.

GC partial attribute set (PAS): The subset of attributes that replicate to a GC partial NC replica. A particular GC partial attribute set (PAS) is part of the state of the forest and is used to control the attributes that replicate to global catalog servers (GC servers). The isMemberOfPartialAttributeSet schema attribute is used to define this set.

GC partial NC replica: An NC replica that contains a schema-specified subset of attributes for the objects it contains. The subset of attributes consists of the attributes in the GC partial attribute set (PAS). A GC partial NC replica is not writable; for example, it does not accept originating updates.

global catalog (GC): A unified partial view of multiple naming contexts (NCs) in a distributed partitioned directory. The Active Directory directory service GC is implemented by GC servers. The definition of global catalog is specified in [MS-ADTS] section 3.1.1.1.8.

global catalog server (GC server): A domain controller (DC) that contains a naming context (NC) replica (one full, the rest partial) for each domain naming context in the forest.

global group: An Active Directory group that allows user objects from its own domain and global groups from its own domain as members. Also called domain global group. Universal groups can contain global groups. A group object g is a global group if and only if GROUP_TYPE_ACCOUNT_GROUP is present in g! groupType; see [MS-ADTS] section 2.2.12, "Group Type Flags". A global group that is also a security-enabled group is valid for inclusion within ACLs anywhere in the forest. If a domain is in mixed mode, then a global group in that domain that is also a security-enabled group allows only user object as members. See also domain local group, security-enabled group.

globally unique identifier (GUID): A term used interchangeably with universally unique identifier (UUID) in Microsoft protocol technical documents (TDs). Interchanging the usage of these terms does not imply or require a specific algorithm or mechanism to generate the value. Specifically, the use of this term does not imply or require that the algorithms described in [RFC4122] or [C706] must be used for generating the GUID. See also universally unique identifier (UUID).

group: A collection of objects that can be treated as a whole.

group object: In Active Directory, a group object has an object class group. A group has a forward link attribute member; the values of this attribute either represent elements of the group (for example, objects of class user or computer) or subsets of the group (objects of class group). The representation of group subsets is called "nested group membership". The back link attribute memberOf enables navigation from group members to the groups containing them. Some groups represent groups of security principals and some do not and are, for instance, used to represent email distribution lists.

Group Policy: A mechanism that allows the implementer to specify managed configurations for users and computers in an Active Directory service environment.

GUID-based DNS name: The domain naming service name of a domain controller (DC), constructed by concatenating the dashed string representation of the objectGuid of the DC's nTDSDSA object, the string "._msdcs.", and the syntactic transformation of the root domain's distinguished name (DN) to a domain naming service name. If a DC's DSA GUID is "52f6c43b-99ec-4040-a2b0-e9ebf2ec02b8", and the forest root domain NC's DNS name is "fabrikam.com", then the GUID-based DNS name of the DC is "52f6c43b-99ec-4040-a2b0-e9ebf2ec02b8._msdcs.fabrikam.com".

GUIDString: A GUID in the form of an ASCII or Unicode string, consisting of one group of 8 hexadecimal digits, followed by three groups of 4 hexadecimal digits each, followed by one group of 12 hexadecimal digits. It is the standard representation of a GUID, as described in [RFC4122] section 3. For example, "6B29FC40-CA47-1067-B31D-00DD010662DA". Unlike a curly braced GUID string, a GUIDString is not enclosed in braces.

inbound trust: A trust relationship between two domains, from the perspective of the domain that is trusted to perform authentication.

inheritance: See object class inheritance.

interdomain trust account: An account that stores information associated with a domain trust in the domain controllers (DCs) of the domain that is trusted to perform authentication.

Interface Definition Language (IDL): The International Standards Organization (ISO) standard language for specifying the interface for remote procedure calls. For more information, see [C706] section 4.

intersite topology generator (ISTG): A domain controller (DC) within a given site that computes an NC replica graph for each NC replica on any DC in its site. This DC creates, updates, and deletes corresponding nTDSConnection objects for edges directed from NC replicas in other sites to NC replicas in its site.

invocation ID: The invocationId attribute. An attribute of an nTDSDSA object. Its value is a unique identifier for a function that maps from update sequence numbers (USNs) to updates to the  NC replicas of a domain controller (DC). See also nTDSDSA object.

JavaScript Object Notation (JSON): A text-based, data interchange format that is used to transmit structured data, typically in Asynchronous JavaScript + XML (AJAX) web applications, as described in [RFC7159]. The JSON format is based on the structure of ECMAScript (Jscript, JavaScript) objects.

Kerberos: An authentication system that enables two parties to exchange private information across an otherwise open network by assigning a unique key (called a ticket) to each user that logs on to the network and then embedding these tickets into messages sent by the users. For more information, see [MS-KILE].

Knowledge Consistency Checker (KCC): A component of the Active Directory replication that is used to create spanning trees for domain controller to domain controller replication and to translate those trees into settings of variables that implement the replication topology.

LDAP connection: A TCP connection from a client to a server over which the client sends Lightweight Directory Access Protocol (LDAP) requests and the server sends responses to the client's requests.

LDAP Data Interchange Format (LDIF): A standard that defines how to import and export directory data between directory servers that use the Lightweight Directory Access Protocol (LDAP), as described in [RFC2849].

LDAP ping: A specific Lightweight Directory Access Protocol (LDAP) search that returns information about whether services are live on a domain controller (DC).

Lightweight Directory Access Protocol (LDAP): The primary access protocol for Active Directory. Lightweight Directory Access Protocol (LDAP) is an industry-standard protocol, established by the Internet Engineering Task Force (IETF), which allows users to query and update information in a directory service (DS), as described in [MS-ADTS]. The Lightweight Directory Access Protocol can be either version 2 [RFC1777] or version 3 [RFC3377].

lingering object: An object that still exists in an NC replica even though it has been deleted and garbage-collected from other replicas. This occurs, for instance, when a domain controller (DC) goes offline for longer than the tombstone lifetime.

link attribute: A forward link attribute or a back link attribute.

link value: The value of a link attribute.

little-endian: Multiple-byte values that are byte-ordered with the least significant byte stored in the memory location with the lowest address.

local domain controller (local DC): A domain controller (DC) on which the current method is executing.

Lost and Found container: A container holding objects in a given naming context (NC) that do not have parent objects due to add and remove operations that originated on different domain controllers (DCs). The container is a child of the NC root and has RDN CN=LostAndFound in domain NCs and CN=LostAndFoundConfig in config NCs.

mailslot: A form of datagram communication using the Server Message Block (SMB) protocol, as specified in [MS-MAIL].

mailslot ping: A specific mailslot request that returns information about whether services are live on a domain controller (DC).

marshal: To encode one or more data structures into an octet stream using a specific remote procedure call (RPC) transfer syntax (for example, marshaling a 32-bit integer).

Messaging Application Programming Interface (MAPI): A Windows programming interface that enables email to be sent from within a Windows application.

mixed mode: A state of an Active Directory domain that supports domain controllers (DCs) running Windows NT Server 4.0 operating system. Mixed mode does not allow organizations to take advantage of new Active Directory features such as universal groups, nested group membership, and interdomain group membership. See also native mode.

most specific object class: In a sequence of object classes related by inheritance, the class that none of the other classes inherits from. The special object class top is less specific than any other class.

multi-valued claim: A claim with more than one Value in the n-tuple {Identifier, ValueType, m Value(s) of type ValueType}.

name service provider interface (NSPI): A method of performing address-book-related operations on Active Directory.

naming context (NC): An NC is a set of objects organized as a tree. It is referenced by a DSName. The DN of the DSName is the distinguishedName attribute of the tree root. The GUID of the DSName is the objectGUID attribute of the tree root. The security identifier (SID) of the DSName, if present, is the objectSid attribute of the tree root; for Active Directory Domain Services (AD DS), the SID is present if and only if the NC is a domain naming context (domain NC). Active Directory supports organizing several NCs into a tree structure.

NC replica: A variable containing a tree of objects whose root object is identified by some naming context (NC).

NC replica graph: A directed graph containing NC replicas as nodes and repsFrom tuples as inbound edges by which originating updates replicate from each full replica of a given naming context (NC) to all other NC replicas of the NC, directly or transitively.

NetBIOS: A particular network transport that is part of the LAN Manager protocol suite. NetBIOS uses a broadcast communication style that was applicable to early segmented local area networks. A protocol family including name resolution, datagram, and connection services. For more information, see [RFC1001] and [RFC1002].

NetBIOS domain name: The name registered by domain controllers (DCs) on [1C] records of the NBNS (WINS) server (see section 6.3.4). For details of NetBIOS name registration, see [MS-WPO] sections 7.1.4 and 10.4.

NetBIOS Name Service (NBNS): The name service for NetBIOS. For more information, see [RFC1001] and [RFC1002].

Netlogon: A component that authenticates a computer and provides other services. The running/paused state of Netlogon on a domain controller (DC) is available through protocols documented in [MS-ADTS] section 6.3.

nonreplicated attribute: An attribute whose values are not replicated between naming context (NC) replicas. The nonreplicated attributes of an object are, in effect, local variables of the domain controller (DC) hosting the NC replica containing that object, since changes to these attributes have no effect outside that DC.

nTDSDSA object: An object of class nTDSDSA that is always located in the configuration naming context (config NC). This object represents a domain controller (DC) in the forest. See [MS-ADTS] section 6.1.1.2.2.1.2.1.1.

NULL GUID: A GUID of all zeros.

object: A set of attributes, each with its associated values. For more information on objects, see [MS-ADTS] section 1 or [MS-DRSR] section 1.

object class: A set of restrictions on the construction and update of objects. An object class can specify a set of must-have attributes (every object of the class must have at least one value of each) and may-have attributes (every object of the class may have a value of each). An object class can also specify the allowable classes for the parent object of an object in the class. An object class can be defined by single inheritance; an object whose class is defined in this way is a member of all object classes used to derive its most specific class. An object class is defined in a classSchema object. See section 1 of [MS-ADTS] and section 1 of [MS-DRSR].

object class name: The lDAPDisplayName of the classSchema object of an object class. This document consistently uses object class names to denote object classes; for example,  user and group are both object classes. The correspondence between Lightweight Directory Access Protocol (LDAP) display names and numeric object identifiers (OIDs) in the Active Directory schema is defined in the appendices of these documents: [MS-ADSC], [MS-ADA1], [MS-ADA2], and [MS-ADA3].

object identifier (OID): In the Lightweight Directory Access Protocol (LDAP), a sequence of numbers in a format described by [RFC1778]. In many LDAP directory implementations, an OID is the standard internal representation of an attribute. In the directory model used in this specification, the more familiar ldapDisplayName represents an attribute.

object of class x (or x object): An object o such that one of the values of its objectClass attributes is x. For instance, if objectClass contains the value user,  o is an object of class user. This is often contracted to "user object".

object reference: An attribute value that references an object. Reading a reference gives the distinguished name (DN) of the object.

operational attribute: An attribute that is returned only when requested by name in a Lightweight Directory Access Protocol (LDAP) search request. An LDAP search request requesting "all attributes" does not return operational attributes and their values.

optional feature: A non-default behavior that modifies the Active Directory state model. An optional feature is enabled or disabled in a specific scope, such as a forest or a domain. For more information, refer to [MS-ADTS] section 3.1.1.9.

organization: A collection of forests, including the current forest, whose TRUST_ATTRIBUTE_CROSS_ORGANIZATION bit of the Trust attribute ([MS-ADTS] section 6.1.6.7.9) of the trusted domain object (TDO) is not set.

oriented tree: A directed acyclic graph such that for every vertex v, except one (the root), there is a unique edge whose tail is v. There is no edge whose tail is the root. For more information, see [KNUTH1] section 2.3.4.2.

originating update: An update that is performed to an NC replica via any protocol except replication. An originating update to an attribute or link value generates a new stamp for the attribute or link value.

outbound trust: A trust relationship between two domains, from the perspective of the domain that trusts another domain to perform authentication.

parent naming context (parent NC): Given naming contexts (NCs) with their corresponding distinguished names (DNs) forming a child and parent relationship, the NC in the parent relationship is referred as the parent NC.

parent object: An object is either the root of a tree of objects or has a parent. If two objects have the same parent, they must have different values in their relative distinguished names (RDNs). See also, object in section 1 of [MS-ADTS] and section 1 of [MS-DRSR].

partial attribute set (PAS): The subset of attributes that replicate to partial naming context (NC) replicas. Also, the particular partial attribute set that is part of the state of a forest and that is used to control the attributes that replicate to global catalog (GC) servers.

partial NC replica: An NC replica that contains a schema-specified subset of attributes for the objects it contains. A partial NC replica is not writable—it does not accept originating updates. See also writable NC replica.

Partitions container: A child object of the configuration naming context (config NC) root. The relative distinguished name (RDN) of the Partitions container is "cn=Partitions" and its class is crossRefContainer ([MS-ADTS] section 2.30). See also crossRef object.

prefix table: A data structure that is used to translate between an object identifier (OID) and a compressed representation for OIDs. See [MS-DRSR] section 5.14.

primary domain controller (PDC): A domain controller (DC) designated to track changes made to the accounts of all computers on a domain. It is the only computer to receive these changes directly, and is specialized so as to ensure consistency and to eliminate the potential for conflicting entries in the Active Directory database. A domain has only one PDC.

primary group: The group object ([MS-ADSC] section 2.53) identified by the primaryGroupID attribute ([MS-ADA3] section 2.120) of a user object ([MS-ADSC] section 2.263). The primary group's objectSid attribute ([MS-ADA3] section 2.45) equals the user's objectSid, with its relative identifier (RID) portion replaced by the primaryGroupID value. The user is considered a member of its primary group.

principal: A unique entity identifiable by a security identifier (SID) that is typically the requester of access to securable objects or resources. It often corresponds to a human user but can also be a computer or service. It is sometimes referred to as a security principal.

privilege: The right of a user to perform system-related operations, such as debugging the system. A user's authorization context specifies what privileges are held by that user.

property set: A set of attributes, identified by a GUID. Granting access to a property set grants access to all the attributes in the set.

RDN attribute: The attribute used in a relative distinguished name (RDN). In the RDN "cn=Peter Houston" the RDN attribute is cn. In the Active Directory directory service, the RDN attribute of an object is determined by the 88 object class or the most specific structural object class of the object.

read permission: The authorization to read an attribute of an object. For more information, see [MS-ADTS] section 5.1.3.

read-only domain controller (RODC): A domain controller (DC) that does not accept originating updates. Additionally, an RODC does not perform outbound replication. An RODC cannot be the primary domain controller (PDC) for its domain.

read-only full NC replica: An NC replica that contains all attributes of the objects it contains, and does not accept originating updates.

Recycle Bin: An optional feature that modifies the state model of object deletions and undeletions, making undeletion of deleted-objects possible without loss of the object's attribute values. For more information, see [MS-ADTS] section 3.1.1.9.1.

recycled-object: An object that has been deleted, but remains in storage until a configured amount of time (the tombstone lifetime) has passed, after which the object is permanently removed from storage. Unlike a deleted-object, most of the state of the object has been removed, and the object can no longer be undeleted without loss of information. By keeping the recycled-object in existence for the tombstone lifetime, the deleted state of the object is able to replicate. Recycled-objects exist only when the Recycle Bin optional feature is enabled.

relative distinguished name (RDN): The name of an object relative to its parent. This is the leftmost attribute-value pair in the distinguished name (DN) of an object. For example, in the DN "cn=Peter Houston, ou=NTDEV, dc=microsoft, dc=com", the RDN is "cn=Peter Houston". For more information, see [RFC2251].

relative identifier (RID): The last item in the series of SubAuthority values in a security identifier (SID) [SIDD]. It distinguishes one account or group from all other accounts and groups in the domain. No two accounts or groups in any domain share the same RID.

remote procedure call (RPC): A communication protocol used primarily between client and server. The term has three definitions that are often used interchangeably: a runtime environment providing for communication facilities between computers (the RPC runtime); a set of request-and-response message exchanges between computers (the RPC exchange); and the single message from an RPC exchange (the RPC message).  For more information, see [C706].

replica: A variable containing a set of objects.

replicated attribute: An attribute whose values are replicated to other NC replicas. An attribute is replicated if its attributeSchema object o does not have a value for the systemFlags attribute, or if the FLAG_ATTR_NOT_REPLICATED bit (bit 0) of o! systemFlags is zero.

replicated update: An update performed to a naming context (NC) replica by the replication system, to propagate the effect of an originating update at another NC replica. The stamp assigned during the originating update to attribute values or a link value is preserved by replication.

replication: The process of propagating the effects of all originating writes to any replica of a naming context (NC), to all replicas of the NC. If originating writes cease and replication continues, all replicas converge to a common application-visible state.

replication cycle: Sometimes referred to simply as "cycle". A series of one or more replication responses associated with the same invocationId, concluding with the return of a new up-to-date vector.

replication latency: The time lag between a final originating update to a naming context (NC) replica and all NC replicas reaching a common application-visible state.

Rivest-Shamir-Adleman (RSA): A system for public key cryptography. RSA is specified in [RFC8017].

root directory system agent-specific entry (rootDSE): The logical root of a directory server, whose distinguished name (DN) is the empty string. In the Lightweight Directory Access Protocol (LDAP), the rootDSE is a nameless entry (a DN with an empty string) containing the configuration status of the server. Access to this entry is typically available to unauthenticated clients. The rootDSE contains attributes that represent the features, capabilities, and extensions provided by the particular server.

root domain: The unique domain naming contexts (domain NCs) of an Active Directory forest that is the parent of the forest's config NC. The config NC's relative distinguished name (RDN) is "cn=Configuration" relative to the root object of the root domain. The root domain is the domain that is created first in a forest.

RPC transport: The underlying network services used by the remote procedure call (RPC) runtime for communications between network nodes. For more information, see [C706] section 2.

SASL: The Simple Authentication and Security Layer, as described in [RFC2222]. This is an authentication mechanism used by the Lightweight Directory Access Protocol (LDAP).

schema: The set of attributes and object classes that govern the creation and update of objects.

schema container: The root object of the schema naming context (schema NC).

schema naming context (schema NC): A specific type of naming context (NC) or an instance of that type. A forest has a single schema NC, which is replicated to each domain controller (DC) in the forest. No other NC replicas can contain these objects. Each attribute and class in the forest's schema is represented as a corresponding object in the forest's schema NC. A schema NC cannot contain security principal objects.

schema object: An object that defines an attribute or an object class. Schema objects are contained in the schema naming context (schema NC).

secret attribute: Any of the following attributes: currentValue, dBCSPwd, initialAuthIncoming, initialAuthOutgoing, lmPwdHistory, ntPwdHistory, priorValue, supplementalCredentials, trustAuthIncoming, trustAuthOutgoing, and unicodePwd.

Secure Sockets Layer (SSL): A security protocol that supports confidentiality and integrity of messages in client and server applications that communicate over open networks. SSL supports server and, optionally, client authentication using X.509 certificates [X509] and [RFC5280]. SSL is superseded by Transport Layer Security (TLS). TLS version 1.0 is based on SSL version 3.0 [SSL3].

security context: A data structure containing authorization information for a particular security principal in the form of a collection of security identifiers (SIDs). One SID identifies the principal specifically, whereas others represent other capabilities. A server uses the authorization information in a security context to check access to requested resources.

security descriptor: A data structure containing the security information associated with a securable object. A security descriptor identifies an object's owner by its security identifier (SID). If access control is configured for the object, its security descriptor contains a discretionary access control list (DACL) with SIDs for the security principals who are allowed or denied access. Applications use this structure to set and query an object's security status. The security descriptor is used to guard access to an object as well as to control which type of auditing takes place when the object is accessed. The security descriptor format is specified in [MS-DTYP] section 2.4.6; a string representation of security descriptors, called SDDL, is specified in [MS-DTYP] section 2.5.1.

security identifier (SID): An identifier for security principals that is used to identify an account or a group. Conceptually, the SID is composed of an account authority portion (typically a domain) and a smaller integer representing an identity relative to the account authority, termed the relative identifier (RID). The SID format is specified in [MS-DTYP] section 2.4.2; a string representation of SIDs is specified in [MS-DTYP] section 2.4.2 and [MS-AZOD] section 1.1.1.2.

security principal: A unique entity, also referred to as a principal, that can be authenticated by Active Directory. It frequently corresponds to a human user, but also can be a service that offers a resource to other security principals. Other security principals might be a group, which is a set of principals. Groups are supported by Active Directory.

security principal object: An object that corresponds to a security principal. A security principal object contains an identifier, used by the system and applications to name the principal, and a secret that is shared only by the principal. In Active Directory, a security principal object has the objectSid attribute. In Active Directory, the user, computer, and group object classes are examples of security principal object classes (though not every group object is a security principal object). In AD LDS, any object containing the msDS-BindableObject auxiliary class is a security principal. See also computer object, group object, and user object.

security-enabled group: A group object with GROUP_TYPE_SECURITY_ENABLED present in its groupType attribute. Only security-enabled groups are added to a security context. See also group object.

server object: A class of object in the configuration naming context (config NC). A server object can have an nTDSDSA object as a child.

service principal name (SPN): (1) The name a client uses to identify a service for mutual authentication. (For more information, see [RFC1964] section 2.1.1.) An SPN consists of either two parts or three parts, each separated by a forward slash ('/'). The first part is the service class, the second part is the host name, and the third part (if present) is the service name. For example, "ldap/dc-01.fabrikam.com/fabrikam.com" is a three-part SPN where "ldap" is the service class name, "dc-01.fabrikam.com" is the host name, and "fabrikam.com" is the service name. See [SPNNAMES] for more information about SPN format and composing a unique SPN.

(2) The name a client uses to identify a service for mutual authentication. For more information, see [MS-ADTS] section 2.2.21 (Service Principal Name) and [RFC1964] section 2.1.1.

simple bind: A bind with the simple authentication option enabled according to [RFC2251].

Simple Mail Transfer Protocol (SMTP): A member of the TCP/IP suite of protocols that is used to transport Internet messages, as described in [RFC5321].

single-valued claim: A claim with only one Value in the n-tuple {Identifier, ValueType, m Value(s) of type ValueType}.

site: A collection of one or more well-connected (reliable and fast) TCP/IP subnets. By defining sites (represented by site objects) an administrator can optimize both Active Directory access and Active Directory replication with respect to the physical network. When users log in, Active Directory clients find domain controllers (DCs) that are in the same site as the user, or near the same site if there is no DC in the site. See also Knowledge Consistency Checker (KCC). For more information, see [MS-ADTS].

site object: An object of class site, representing a site.

site settings object: For a given site with site object s, its site settings object o is the child of s such that o is of class nTDSSiteSettings and the relative distinguished name (RDN) of o is CN=NTDS Site Settings. See also site object.

SRV record: A type of information record in DNS that maps the name of a service to the DNS name of a server that offers that service. domain controllers (DCs) advertise their capabilities by publishing SRV records in DNS.

SSL/TLS handshake: The process of negotiating and establishing a connection protected by Secure Sockets Layer (SSL) or Transport Layer Security (TLS). For more information, see [SSL3] and [RFC2246].

stamp: Information that describes an originating update by a domain controller (DC). The stamp is not the new data value; the stamp is information about the update that created the new data value. A stamp is often called metadata, because it is additional information that "talks about" the conventional data values. A stamp contains the following pieces of information: the unique identifier of the DC that made the originating update; a sequence number characterizing the order of this change relative to other changes made at the originating DC; a version number identifying the number of times the data value has been modified; and the time when the change occurred.

structural object class: An object class that is not an 88 object class and can be instantiated to create a new object.

SubAuthority: A variable-length array of unsigned, 32-bit integer values that is part of a security identifier (SID). Each of these values is called a SubAuthority. All SubAuthority values excluding the last one collectively identify a domain. The last value, termed as the relative identifier (RID), identifies a particular group or account relative to the domain. For more information, see [SIDD].

subordinate reference object (sub-ref object): The naming context (NC) root of a parent NC has a list of all the NC roots of its child NCs in the subRefs attribute ([MS-ADA3] section 2.282). Each entry in this list is a subordinate reference and the object named by the entry is denominated a subordinate reference object. An object is a subordinate reference object if and only if it is in such a list. If a server has replicas of both an NC and its child NC, then the child NC root is the subordinate reference object, in the context of the parent NC. If the server does not have a replica of the child NC, then another object, with distinguishedName ([MS-ADA1] section 2.177) and objectGUID ([MS-ADA3] section 2.44) attributes equal to the child NC root, is present in the server and is the subordinate reference object.

system access control list (SACL): An access control list (ACL) that controls the generation of audit messages for attempts to access a securable object. The ability to get or set an object's SACL is controlled by a privilege typically held only by system administrators.

ticket-granting ticket (TGT): A special type of ticket that can be used to obtain other tickets. The TGT is obtained after the initial authentication in the Authentication Service (AS) exchange; thereafter, users do not need to present their credentials, but can use the TGT to obtain subsequent tickets.

tombstone: An object that has been deleted, but remains in storage until a configured amount of time (the tombstone lifetime) has passed, after which the object is permanently removed from storage. By keeping the tombstone in existence for the tombstone lifetime, the deleted state of the object is able to replicate. Tombstones exist only when the Recycle Bin optional feature is not enabled.

tombstone lifetime: The amount of time a deleted directory object remains in storage before it is permanently deleted. To avoid inconsistencies in object deletion, the tombstone lifetime is configured to be many times longer than the worst-case replication latency.

top level name (TLN): The DNS name of the forest root domain NC.

transitive membership: An indirect group membership that occurs when an object is a member of a group that is a member of a second group. The object is a member of the second group through a transitive membership.

Transmission Control Protocol (TCP): A protocol used with the Internet Protocol (IP) to send data in the form of message units between computers over the Internet. TCP handles keeping track of the individual units of data (called packets) that a message is divided into for efficient routing through the Internet.

Transport Layer Security (TLS): A security protocol that supports confidentiality and integrity of messages in client and server applications communicating over open networks. TLS supports server and, optionally, client authentication by using X.509 certificates (as specified in [X509]). TLS is standardized in the IETF TLS working group.

trust: To accept another authority's statements for the purposes of authentication and authorization, especially in the case of a relationship between two domains. If domain A trusts domain B, domain A accepts domain B's authentication and authorization statements for principals represented by security principal objects in domain B; for example, the list of groups to which a particular user belongs. As a noun, a trust is the relationship between two domains described in the previous sentence.

trust object: An object representing a trust.

trust secret: A pair of keys used to encrypt or sign sensitive protocol data between two trust authorities, such as domain controllers.

trusted domain object (TDO): A collection of properties that define a trust relationship with another domain, such as direction (outbound, inbound, or both), trust attributes, name, and security identifier of the other domain. For more information, see [MS-ADTS].

TTL-DN: An alternative form of distinguished name (DN), applicable only to values of link valued attributes, that includes the time until the link is no longer returned to LDAP clients.

Unicode: A character encoding standard developed by the Unicode Consortium that represents almost all of the written languages of the world. The Unicode standard [UNICODE5.0.0/2007] provides three forms (UTF-8, UTF-16, and UTF-32) and seven schemes (UTF-8, UTF-16, UTF-16 BE, UTF-16 LE, UTF-32, UTF-32 LE, and UTF-32 BE).

universal group: An Active Directory group that allows user objects, global groups, and universal groups from anywhere in the forest as members. A group object g is a universal group if and only if GROUP_TYPE_UNIVERSAL_GROUP is present in g! groupType. A security-enabled universal group is valid for inclusion within ACLs anywhere in the forest. If a domain is in mixed mode, then a universal group cannot be created in that domain. See also domain local group, security-enabled group.

universally unique identifier (UUID): A 128-bit value. UUIDs can be used for multiple purposes, from tagging objects with an extremely short lifetime, to reliably identifying very persistent objects in cross-process communication such as client and server interfaces, manager entry-point vectors, and RPC objects. UUIDs are highly likely to be unique. UUIDs are also known as globally unique identifiers (GUIDs) and these terms are used interchangeably in the Microsoft protocol technical documents (TDs). Interchanging the usage of these terms does not imply or require a specific algorithm or mechanism to generate the UUID. Specifically, the use of this term does not imply or require that the algorithms described in [RFC4122] or [C706] must be used for generating the UUID.

update: An add, modify, or delete of one or more objects or attribute values.  See originating update, replicated update.

update sequence number (USN): A monotonically increasing sequence number used in assigning a stamp to an originating update. For more information, see [MS-ADTS].

uplevel trust: A trust in which both peers are running Windows 2000 operating system or later domain controllers.

User Datagram Protocol (UDP): The connectionless protocol within TCP/IP that corresponds to the transport layer in the ISO/OSI reference model.

user object: An object of class user. A user object is a security principal object; the principal is a person or service entity running on the computer. The shared secret allows the person or service entity to authenticate itself, as described in ([MS-AUTHSOD] section 1.1.1.1).

user principal name (UPN): A user account name (sometimes referred to as the user logon name) and a domain name that identifies the domain in which the user account is located. This is the standard usage for logging on to a Windows domain. The format is: someone@example.com (in the form of an email address). In Active Directory, the userPrincipalName attribute of the account object, as described in [MS-ADTS].

UTF-16: A standard for encoding Unicode characters, defined in the Unicode standard, in which the most commonly used characters are defined as double-byte characters. Unless specified otherwise, this term refers to the UTF-16 encoding form specified in [UNICODE5.0.0/2007] section 3.9.

UTF-8: A byte-oriented standard for encoding Unicode characters, defined in the Unicode standard. Unless specified otherwise, this term refers to the UTF-8 encoding form specified in [UNICODE5.0.0/2007] section 3.9.

Virtual List View (VLV) search: Refers to a Lightweight Directory Access Protocol (LDAP) search operation that enables the server to return a contiguous subset of a large search result set. LDAP controls LDAP_CONTROL_VLVREQUEST and LDAP_CONTROL_VLVRESPONSE (section 3.1.1.3.4.1.17) that are used to perform a VLV search.

well-known object (WKO): An object within an naming context (NC) that can be located using a fixed globally unique identifier (GUID).

Windows error code: A 32-bit quantity where zero represents success and nonzero represents failure. The specific failure codes are specified in [MS-ERREF].

Windows security descriptor: See security descriptor.

writable naming context (NC) replica: A naming context (NC) replica that accepts originating updates. A writable NC replica is always full, but a full NC replica is not always writable. Partial replicas are not writable. See also read-only full NC replica.

MAY, SHOULD, MUST, SHOULD NOT, MUST NOT: These terms (in all caps) are used as defined in [RFC2119]. All statements of optional behavior use either MAY, SHOULD, or SHOULD NOT.