A  B  C  D  E  F  G  H  I  J  K  L  M  N  O  P  Q  R  S  T  U  V  W  X  Y  Z


The file name extension for Administrative Templates files.
The file name extension for Windows Installer package files.


An 802.3 Ethernet specification that defines how data is carried through category 3, 4, or 5 twisted pair cable.


A class of IBM Systems Network Architecture terminal and related protocol used to communicate with IBM mainframe host systems.
An encrypting algorithm that processes each data block three times, using a unique key each time. 3DES is much more difficult to break than straight DES. It is the most secure of the DES combinations, and therefore slower in performance.
A class of IBM Systems Network Architecture terminal and related protocol used to communicate with AS/400 host systems.
A protocol that supports the mapping of RSVP signals to Layer 2 signals using 802.1p priority markings to enable the prioritization of traffic across Layer 2 devices, such as switches, on a network segment. IEEE 802 refers to the Layer 2 technology used by LANs including the data-link layer and the media access control layer.
88 class
A class defined before 1993 not required to fall into one of the structural, abstract, or auxiliary categories. This type of class is specified by a value of 0 in the objectClass category.


A resource record
See address (A) resource record.
See ATM Adaptation Layer.
abstract classes
Templates used only to derive new Structural classes. Abstract classes cannot be instantiated in the directory.
access control
The security mechanism in Windows NT and Windows 2000 that determines which objects a security principal can use and how the security principal can use them. See also authorization; security principal.
access control entry (ACE)
An entry in an access control list (ACL) containing the security ID (SID) for a user or group and an access mask that specifies which operations by the user or group are allowed, denied, or audited. See also access control list; access mask; security descriptor.
access control list (ACL)
A list of security protections that apply to an entire object, a set of the object's properties, or an individual property of an object. There are two types of access control lists: discretionary and system. See also access control entry; discretionary access control list; security descriptor; system access control list.
access mask
A 32-bit value that specifies the rights that are allowed or denied in an access control entry (ACE) of an access control list (ACL). An access mask is also used to request access rights when an object is opened. See also access control entry.
access privileges
Permissions set by Macintosh users that allow them to view and make changes to folders on a server. By setting access privileges (called permissions when set on a computer running Windows 2000 Server), administrators control which Macintosh computers can use folders on a volume.
access token
A data structure containing security information that identifies a user to the security subsystem on a computer running Windows 2000 or Windows NT. Access tokens contain a user's security ID, the security IDs for groups that the user belongs to, and a list of the user's privileges on the local computer. See also privilege; security ID.
The quality of a system incorporating hardware or software to engage a flexible, customizable user interface, alternative input and output methods, and greater exposure of screen elements to make the computer usable by people with cognitive, hearing, physical, or visual disabilities.
Accessibility Wizard
An interactive tool that makes it easier to set up commonly used accessibility features by specifying options by type of disability, rather than by numeric value changes.
account domain
A Windows NT domain that holds user account data. Also known as a master domain.
account lockout
A Windows 2000 security feature that locks a user account if repeated failed logon attempts occur within a specified amount of time, based on security policy lockout settings. (Locked accounts cannot log on.)
See access control entry.
See access control list.
See Advanced Configuration and Power Interface.
active cluster member
A node that is running and participating in cluster operations.
Active Directory
The directory service included with Windows 2000 Server. It stores information about objects on a network and makes this information available to users and network administrators. Active Directory gives network users access to permitted resources anywhere on the network using a single logon process. It provides network administrators with an intuitive hierarchical view of the network and a single point of administration for all network objects. See also directory; directory service.
Active Directory Connector (ADC)
A synchronization agent in Windows 2000 Server, Windows 2000 Advanced Server, and Windows 2000 Enterprise Server that provides an automated way of keeping directory information consistent between directories. Without the ADC, you would have to manually enter new data and updates in both directory services.
Active Directory data model
A model derived from the LDAP data model. The directory holds objects that represent entities of various sorts, described by attributes. The objects and classes of objects that can be stored in the directory are defined in the schema. For each class of objects, the schema defines what attributes an instance of the class must have, what additional attributes it may have, and what class can be its parent. See also attribute; LDAP; schema.
Active Directory Installation wizard
A Windows 2000 Server tool that allows the following during Setup: installation of Active Directory, creation of trees in a forest, replication of an existing domain, installation of Kerberos authentication software, and promotion of servers to domain controllers.
Active Directory replication
Synchronization of directory partition replicas between Windows 2000 domain controllers. Directory partition replicas are writable on each domain controller, except for Global Catalog replicas. Replication automatically copies the changes from a specified directory partition replica to all other domain controllers that hold the same directory partition replica. More specifically, a server called the "destination" pulls changes from another server called the "source". See also directory partition; File Replication service; multimaster replication; replication.
Active Directory Service Interfaces (ADSI)
A set of high-level programming interfaces that provide a single, consistent, open set of interfaces that enables Windows 2000, Windows NT, Windows 98 and Windows 95 client applications to access several network directory services, including Active Directory. ADSI provides the means for client applications of directory services to use one set of interfaces to communicate with any namespace that provides an ADSI implementation (provider)
Active Directory Users and Computers
An administrative tool designed to perform day-to-day Active Directory administration tasks. These tasks include creating, deleting, modifying, moving, and setting permissions on objects stored in the directory. These objects include organizational units, users, contacts, groups, computers, printers, and shared file objects. See also object; permissions.
Active Directory--integrated zone
A primary zone stored in Active Directory. See also zone.
active partition
The partition from which the computer starts. The active partition must be a primary partition on a basic disk. If you are using Windows 2000 exclusively, the active partition can be the same as the system partition. If you are using Windows 2000 and Windows 98 or earlier, or MS-DOS, the active partition must contain the startup files for both operating systems.
The cluster configuration of an application in which the application runs on all nodes at the same time. See also active/passive.
The cluster configuration of an application in which the application runs on only one node at a time. See also active/active.
A set of technologies that enables software components to interact with one another in a networked environment, regardless of the language in which the components were created.
ActiveX control
A reusable software component that incorporates ActiveX technology.
See Active Directory Connector (ADC).
additional domain controller
When installing Active Directory, a domain controller that is being added to an existing Windows 2000 domain.
In Systems Management Server, addresses are used to connect sites and site systems. Senders use addresses to send instructions and data to other sites.
address (A) resource record
A resource record used to map a DNS domain name to a host IP address on the network. See also resource record.
address class
See internet address class.
address pool
A group of IP addresses in a scope. Pooled addresses are then available for dynamic assignment by a DHCP server to DHCP clients.
Address Resolution Protocol (ARP)
In TCP/IP, a protocol that uses broadcast traffic on the local network to resolve a logically assigned IP address to its physical hardware or media access control layer address. In ATM the ARP protocol is used two different ways. For classical IP over ATM, ARP is used to resolve addresses to ATM hardware addresses. For ATM LAN emulation, ARP is used to resolve Ethernet/802.3 or Token Ring addresses to ATM hardware addresses. See also media access control; Transmission Control Protocol/Internet Protocol.
A relationship formed between selected neighboring OSPF routers for the purpose of exchanging routing information. When the link state databases of two neighboring routers are synchronized, the routers are said to be adjacent. Not every pair of neighboring routers becomes adjacent. See also link state database.
administrative template (.adm file)
A text file used by the Group Policy console as a source to generate the user interface for Group Policy settings an administrator can set. Windows NT 4.0 used an earlier version of .adm files to generate user interface for registry-based System Policy settings in the System Policy Editor.
admission control
The service used to administratively control network resources on shared network segments.
See Active Directory Service Interfaces.
ADSI provider
COM objects that implement ADSI for a particular namespace (for example, an LDAP namespace such as Active Directory).
See Asymmetric Digital Subscriber Line.
Advanced Configuration and Power Interface (ACPI)
An open industry specification that defines power management on a wide range of mobile, desktop, and server computers and peripherals. ACPI is the foundation for the OnNow industry initiative that allows system manufacturers to deliver computers that will start at the touch of a keyboard. ACPI design is essential to take full advantage of power management and Plug and Play in Windows 2000. Check the manufacturer's documentation to verify that a computer is ACPI-compliant. See also Plug and Play.
Advanced Peer-to-Peer Networking (APPN)
An upgrade to IBM Systems Network Architecture that supports distributed session control services and dynamic routing, avoiding dependencies on centralized mainframe network services.
Advanced Program-to-Program Communication (APPC)
An IBM Systems Network Architecture communications method that uses the LU 6.2 protocol to establish, manage, and terminate network communication between programs in a distributed computing environment.
Advanced Program-to-Program Communication File Transfer Protocol (AFTP)
A file transfer protocol used in IBM host systems, the IBM Advanced Program-to Program Communications equivalent to the TCP/IP File Transfer Protocol.
In Windows 2000 and Systems Management Server, to make a program available to members of a collection (group).
In Systems Management Server, a notification sent by the site server to the client access points (CAPs) specifying that a software distribution program is available for clients to use. In Windows 2000, the Software Installation snap-in generates an application advertisement script and stores this script in the appropriate locations in Active Directory and the Group Policy object.
affinity mask
A value that contains bits for each processor on the system, defining which processors a process or thread can use.
An application that runs on a Simple Network Management Protocol (SNMP) managed device. The agent application is the object of management activities. A computer running SNMP agent software is also sometimes referred to as an agent.
A rule or procedure for solving a problem. Internet Protocol security uses cryptographically-based algorithms to encrypt data.
An additional name that can be used to access a specific port.
all-ones subnet
The subnet for which all the bits in the subnet portion of the subnetted network ID are set to 1.
all-subnets directed broadcast address
The broadcast address designed to reach all subnets of a subnetted class-based IP network ID.
all-zeros subnet
The subnet for which all the bits in the subnet portion of the subnetted network ID are set to 0.
To mark media for use by an application. Media in the available state may be allocated.
allocated state
A state that indicates media are in use and assigned to application media pools.
alternative input devices
Input devices for users who cannot use standard input devices, such as a mouse or a keyboard.
ambiguous name resolution
In an LDAP search, the process of searching for a string value in a set of attributes by using one filter of the form (ANR=string). A defined set of attributes is available for ANR searches, and when the (ANR=string) filter is encountered, the filter is expanded to include a search of every attribute in the ANR set.
answer file
A text file that you can use to provide automated input for unattended installation of Windows 2000. This input includes parameters to answer the questions required by Setup for specific installations. In some cases, you can use this text file to provide input to wizards, such as the Active Directory Installation wizard, which is used to add Active Directory to Windows 2000 Server through Setup. The default answer file for Setup is known as Unattend.txt.
A feature for preventing replay attacks. See also replay attack.
The Apple Computer network architecture and network protocols. A network that has Macintosh clients and a computer running Windows 2000 Server with Services for Macintosh functions as an AppleTalk network.
AppleTalk Control Protocol (ATCP)
The Network Control Protocol for AppleTalk-based PPP connections. ATCP negotiates AppleTalk-based parameters to dynamically configure an AppleTalk-based PPP peer across a point-to-point link.
AppleTalk Phase 2
The extended AppleTalk Internet model designed by Apple Computer that supports multiple zones within a network and extended addressing capacity. See also AppleTalk.
AppleTalk Protocol
The set of network protocols on which the AppleTalk network architecture is based. The AppleTalk Protocol stack must be installed on a computer running Windows 2000 Server so that Macintosh clients can connect to it. See also AppleTalk.
application assignment
A process that uses Software Installation (an extension of Group Policy) to assign programs to groups of users. The programs appear on the users' desktop when they log on.
application layer
The layer at which applications access network services. This layer represents the services that directly support applications, such as software for file transfers, database access, and e-mail.
application media pool
A data repository that determines which media can be accessed by which applications and that sets the policies for that media. There can be any number of application media pools in a Removable Storage system. Applications create application media pools.
application programming interface (API)
A set of routines that an application uses to request and carry out lower-level services performed by a computer's operating system. These routines usually carry out maintenance tasks such as managing files and displaying information.
See Advanced Peer-to-Peer Networking.
APPN domain
An APPN network node and the other physical unit (PU) type 2.1 nodes attached to it.
A group of contiguous networks within an OSPF autonomous system. OSPF areas reduce the size of the link state database and provide the ability to summarize routes. See also autonomous system; link state database.
area border router (ABR)
A router that is attached to multiple areas. Area border routers maintain separate link state databases for each area. See also link state database.
See Address Resolution Protocol.
ARP cache
A table of IP addresses and their corresponding media access control address. There is a separate ARP cache for each interface.
assigned applications
Applications that are assigned to users or computers by an administrator using the Software Installation snap-in an extension to Group Policy. Assigned applications are always available to users or computers managed by a Group Policy object. User-assigned applications appear to be installed on a user's computer and can be installed by selecting the software from the Start menu, or selecting a shortcut on the desktop. Applications assigned to a computer are installed when the computer is turned on.
In Windows 2000 and Systems Management Server, to deploy a program to members of a collection (group), where acceptance of the program is mandatory.
Asymmetric Digital Subscriber Line (ADSL)
A high-bandwidth digital transmission technology that uses existing phone lines and also allows voice transmissions over the same lines. Most of the traffic is transmitted downstream to the user, generally at rates of 512 Kbps to about 6 Mbps.
asymmetric key algorithm
See public-key algorithm.
Asynchronous Transfer Mode (ATM)
A high-speed connection-oriented protocol used to transport many different types of network traffic.
AppleTalk Control Protocol.
See Asynchronous Transfer Mode.
ATM adaptation layer (AAL)
The layer of the ATM protocol stack that parses data into the payload portion of the ATM cell for transport across an ATM network. See also Asynchronous Transfer Mode (ATM).
atomic transaction
In Active Directory, database transactions that are either completed in full or are not applied at all. If for any reason an error occurs and a transaction is unable to complete all of its steps, the system is returned to the state it was in before the transaction was started.
atomic update
In a server cluster, the means by which the cluster registry key is replicated to all nodes. If any part of an atomic update on a node fails, all of it fails. In Active Directory, the method of updating an Active Directory attribute. An LDAP directory server processes each update request as an atomic action: The request either is committed and all its effects are durable, or it is terminated and has no effect. In Active Directory replication, the scope of an atomic update is the object. All of the attribute changes made to an object that are replicated at the same time are applied together atomically.
attribute (object)
In Active Directory, an attribute describes characteristics of an object and the type of information an object can hold. For each object class, the schema defines what attributes an instance of the class must have and what additional attributes it might have.
The object identifier that is the unique name of an attribute.
attributes (file)
Information that indicates whether a file is read-only, hidden, ready for archiving (backing up), compressed, or encrypted, and whether the file contents should be indexed for fast file searching.
The syntax object identifier for this attribute.
To track the activities of users by recording selected types of events in the security log of a server or a workstation.
augmentative communication devices
Add-on software and hardware that can help users with disabilities control a computer by using assistive technology. Examples are speech recognition systems and screen readers.
A basic security function of cryptography. Authentication verifies the identity of the entities that communicate over the network. For example, the process that verifies the identity of a user who logs on to a computer either locally, at a computer's keyboard, or remotely, through a network connection. See also cryptography; confidentiality; integrity; Kerberos authentication protocol; nonrepudiation; NTLM authentication protocol.
The IPSec process that verifies the origin and integrity of a message by assuring the genuine identity of each computer. Without strong authentication, an unknown computer and any data it sends is suspect. IPSec provides multiple methods of authentication to ensure compatibility with earlier systems running earlier versions of Windows, non-Windows-based systems, and shared computers.
In network access, the process by which the system validates the user's logon information. A user's name and password are compared against an authorized list. If the system detects a match, access is granted to the extent specified in the permissions list for that user. When a user logs on to an account on a computer running Windows 2000 Professional, the authentication is performed by the client. When a user logs on to an account on a Windows 2000 Server domain, authentication can be performed by any server of that domain. See also server; trust relationship.
Authentication Header (AH)
A header that provides authentication, integrity, and anti-replay for the entire packet (both the IP header and the data payload carried in the packet).
A data structure used by one party to prove that another party knows a secret key. In the Kerberos authentication protocol, authenticators include timestamps, to prevent replay attacks, and are encrypted with the session key issued by the Key Distribution Center (KDC). See also Kerberos authentication protocol; Key Distribution Center; replay attack; secret key.
In the Domain Name System (DNS), the use of zones by DNS servers to register and resolve a DNS domain name. When a DNS server is configured to host a zone, it is authoritative for names within that zone. DNS servers are granted authority based on information stored in the zone. See also zone.
authoritative restore
In Backup, a type of restore operation on a Windows 2000 domain controller in which the objects in the restored directory are treated as authoritative, replacing (through replication) all existing copies of those objects. Authoritative restore is applicable only to replicated System State data such as Active Directory data and File Replication service data. The Ntdsutil.exe utility is used to perform an authoritative restore. See also nonauthoritative restore; System State.
The process that determines what a user is permitted to do on a computer system or network. For remote access or demand-dial routing connections, the verification that the connection attempt is allowed. Authorization occurs after successful authentication. See also access control; authentication.
automated installation
To run an unattended setup using one or more of several methods such as Remote Installation Services, bootable CD, and Sysprep.
automatic file truncation
A process that converts premigrated files into a remote storage identifier or placeholder to reclaim space on the managed volume. Automatic file truncation is initiated on a managed volume whenever the amount of free space is less than the desired free space as defined by the administrator.
Automatic Private IP Addressing (APIPA)
A feature of Windows 2000 TCP/IP that automatically configures a unique IP address from the range to and a subnet mask of when the TCP/IP protocol is configured for dynamic addressing and a Dynamic Host Configuration Protocol (DHCP) is not available.
A Component Object Model (COM) based technology that allows for interoperability among ActiveX components, including OLE components. Formerly referred to as OLE Automation. See also ActiveX; object linking and embedding.
autonomous system (AS)
A group of routers exchanging routing information by using a common routing protocol.
A multivalued property that specifies the auxiliary classes from which this class inherits. For an existing classSchema object, values can be added to this property but not removed.
Each value is the lDAPDisplayName of a class. You must ensure that the class exists or will exist when the new class is written to the directory. If one of the classes does not exist, the classSchema object fails to be added to the directory.
The full set of auxiliary classes is the union of the systemAuxiliaryClass and auxiliaryClass on this class as well as the systemAuxiliaryClass and auxiliaryClass properties of all inherited classes.
A measure of the fault tolerance of a computer and its programs. A highly available computer runs 24 hours a day, 7 days a week. See also fault tolerance.
available bit rate (ABR)
An ATM service type that supports available-bit-rate traffic, minimum guaranteed transmission rate, and peak data rates. ABR also allows bandwidth allocation depending on availability, and it uses flow control to communicate bandwidth availability to the end node.
available state
A state in which media can be allocated for use by applications.
averaging counter
A type of counter that measures a value over time and displays the average of the last two measurements over some other factor (for example, PhysicalDisk\Avg. Disk Bytes/Transfer).
See full zone transfer.



B channel
One of the 64 Kbps communications channels on an ISDN circuit. A BRI (Basic Rate Interface) ISDN has two bearer channels and one data channel. A PRI (Primary Rate Interface) ISDN line has 23 bearer channels (in North America) or 30 bearer channels (in Europe) and one data channel. B channel is also called bearer channel. See also Integrated Services Digital Network (ISDN).
In OSPF, an area common to all other OSPF areas that is used as the transit area for inter-area traffic and for distributing routing information between areas. The backbone must be contiguous. See also Open Shortest Path First (OSPF).
backbone router
In OSPF, a router that is connected to the backbone area. This includes routers that are connected to more than one area (area border routers). However, backbone routers do not have to be area border routers. Routers that have all networks connected to the backbone are internal routers. See also area border router; Open Shortest Path First (OSPF).
backup designated router (BDR)
An OSPF router that forms adjacencies with all other routers on a multiple access network and becomes the designated router when the designated router becomes unavailable.
backup domain controller
In Windows NT Server 4.0 or earlier, a computer running Windows NT Server that receives a copy of the domain's directory database (which contains all account and security policy information for the domain). The copy synchronizes periodically with the master copy on the primary domain controller. A backup domain controller also authenticates user logon information and can be promoted to function as primary domain controllers as needed. Multiple backup domain controllers can exist in a domain. Windows NT 3.51 and 4.0 backup domain controllers can participate in a Windows 2000 domain when the domain is configured in mixed mode. See also mixed mode; primary domain controller.
backup operator
A type of local or global group that contains the user rights needed to back up and restore files and folders. Members of the Backup Operators group can back up and restore files and folders regardless of ownership, access permissions, encryption, or auditing settings. See also auditing; global group; local group; user rights.
backup set
A collection of files, folders, and other data that has been backed up and stored in a file or on one or more tapes.
bad block
A disk sector that can no longer be used for data storage, usually due to media damage or imperfections.
In analog communications, the difference between the highest and lowest frequencies in a given range. For example, a telephone line accommodates a bandwidth of 3,000 Hz, the difference between the lowest (300 Hz) and highest (3,300 Hz) frequencies it can carry. In digital communications, the rate at which information is sent expressed in bits per second (bps).
Bandwidth Allocation Control Protocol (BACP)
A PPP Network Control Protocol that negotiates the election of a favored peer for a multiprocessing connection. If both ends of the multiprocessing connection issue a connection request at the same time, then the connection request of the favored peer is performed.
Bandwidth Allocation Protocol (BAP)
A PPP control protocol that is used on a multiprocessing connection to dynamically add and remove links.
bar code
A machine-readable label that identifies an object, such as physical media.
base DIT
The directory that is installed during a fresh install of a Windows 2000 domain controller.
base search
See search scope.
A range of measurements derived from performance monitoring that represents acceptable performance under typical operating conditions.
basic disk
A physical disk that contains primary partitions or extended partitions with logical drives used by Windows 2000 and all versions of Windows NT. Basic disks can also contain volume, striped, mirror, or RAID-5 sets that were created using Windows NT 4.0 or earlier. As long as a compatible file format is used, basic disks can be accessed by MS-DOS, Windows 95, Windows 98, and all versions of Windows NT.
basic input/output system (BIOS)
The set of essential software routines that tests hardware at startup, is involved with starting the operating system, and supports the transfer of data among hardware devices. The BIOS is stored in read-only memory (ROM) so that it can be executed when the computer is turned on. Although critical to performance, the BIOS is usually invisible to computer users.
basic volume
A volume on a basic disk. Basic volumes include primary partitions, logical drives within extended partitions, as well as volume, striped, mirror, or RAID-5 sets that were created using Windows NT 4.0 or earlier. Only basic disks can contain basic volumes. Basic and dynamic volumes cannot exist on the same disk.
Berkeley Internet Name Domain (BIND)
An implementation of the Domain Name System (DNS) written and ported to most available versions of the UNIX operating system. The Internet Software Consortium maintains the BIND software. See also BIND boot file.
A base-2 number system in which values are expressed as combinations of two digits, 0 and 1.
See Berkeley Internet Name Domain.
BIND boot file
Configuration file used by Domain Name System (DNS) servers running under versions of the Berkeley Internet Name Domain (BIND) software implementation. The BIND boot file is a text file, Named.boot, where individual lines in the file list boot directives used to start a service when the DNS server is started. By default, Microsoft DNS servers use DNS service parameters stored in the Windows 2000 registry, but allow the use of a BIND boot file as an alternative for reading boot configuration settings. See also BIND; registry boot.
A database in Novell NetWare 2.x and 3.x that contains organizational and security information about users and groups.
A process by which software components and layers are linked together. When a network component is installed, the binding relationships and dependencies for the components are established. Binding allows components to communicate with each other.
BINL service
See Boot Information Negotiation Layer service.
See Boot Information Negotiation Layer Service.
See basic input/output system.
BIOS parameter block (BPB)
A series of fields containing data on disk size, geometry variables, and the physical parameters of the volume. The BPB is located within the boot sector.
The smallest unit of information handled by a computer. One bit expresses a 1 or a 0 in a binary numeral, or a true or false logical condition. A group of 8 bits makes up a byte, which can represent many types of information, such as a letter of the alphabet, a decimal digit, or other character. Bit is also called binary digit.
bit stuffing
A technique used by PPP on synchronous links, such as T-Carrier, ISDN, or other digital links, to prevent the occurrence of the Flag character within the PPP frame.
bit-wise logical AND
A mathematical operation that compares equal numbers of bits using the logical AND comparison. If both bits being compared are 1, the result is 1. Otherwise, the result is 0.
bits per second (bps)
The number of bits transmitted every second, used as a measure of the speed at which a device, such as a modem, can transfer data. A character is made up of 8 bits. In asynchronous communication, each character is preceded by a start bit and terminates with a stop bit. So for each character, 10 bits are transmitted. If a modem communicates at 2,400 bits per second (bps), then 240 characters are sent every second.
black hole
A condition of an internetwork where packets are lost without an indication of the error.
block policy option
An option that prevents Group Policy objects specified in higher-level Active Directory containers from applying to a computer or user.
The combining of ISDN B channels through hardware support.
To start or reset a computer. When first turned on or reset, the computer executes the software that loads and starts the computer's operating system, which prepares it for use.
Boot Information Negotiation Layer (BINL) service
A service that runs on Windows 2000 Server that acts on client boot requests. For example, by using Remote Installation Service the BINL service listens for and answers DHCP (PXE) requests. It also services Client Installation Wizard requests. BINL directs the client to the files needed to start the installation process. This service also checks Active Directory to verify credentials, determine whether a client needs service, and whether to create a new or reset an existing computer account on behalf of the client.
boot partition
The volume that contains the operating system and its support files. The boot partition can be (but does not have to be) the same as the system partition. Both a primary partition and a logical drive in an extended partition can be used as a boot partition.
boot sector
A critical disk structure for starting your computer located at sector 1 of each volume or floppy disk. It contains executable code and data that is required by the code, including information used by the file system to access the volume. The boot sector is created when you format the volume.
bootable CD
An automated installation method that runs Setup from a CD-ROM. This method is useful for computers at remote sites with slow links and no local IT department. See also automated installation.
bootstrap protocol (BOOTP)
A set of rules or standards to enable computers to connect with one another, used primarily on TCP/IP networks to configure workstations without using media disks. RFCs 951 and 1542 define this protocol. DHCP is a boot configuration protocol that uses this protocol.
Border Gateway Protocol (BGP)
A routing protocol designed for use between autonomous systems. See also autonomous system.
A condition, usually involving a hardware resource, that causes the entire system to perform poorly.
A keyboard filter that assists users whose fingers bounce on the keys when pressing or releasing them.
bound trap
In programming, a problem in which a set of conditions exceeds a permitted range of values that causes the microprocessor to stop what it is doing and handle the situation in a separate routine.
boundary layer
A common interface between two software components that is standardized to allow other components to connect to this interface.
Bourne shell
A UNIX command processor developed by Steven Bourne.
A segment of a logical tree structure, representing a folder and any folders that it contains.
bridgehead server
In Active Directory replication, a single server in each site that is designated to perform site-to-site replication. Bridgehead servers are designated automatically by the KCC, or they can be assigned manually by an administrator. Bridgehead servers ensure that most replication occurs within sites rather than between sites.
bridgehead server
A server that receives and forwards e-mail traffic at each end of a connection agreement, similar to the task a gateway performs.
An address that is destined for all hosts on a particular network segment. See also broadcast network.
broadcast and unknown server (BUS)
A multicast service on an emulated local area network (ELAN) that forwards broadcast, multicast, and initial unicast data traffic sent by a LAN emulation client. See also emulated local area network (ELAN).
broadcast datagram
An IP datagram sent to all hosts on the subnet. See also datagram.
broadcast message
A network message sent from a single computer that is distributed to all other devices on the same segment of the network as the sending computer.
broadcast name resolution
A mechanism defined in RFC 1001/1002 that uses broadcasts to resolve names to IP addresses through a process of registration, resolution, and name release. See also broadcast datagram; Request for Comments (RFC).
broadcast network
A network that supports more than two attached nodes and has the ability to address a single physical message to all of the attached nodes (broadcast). Ethernet is an example of a broadcast network.
browse list
Any list of items that can be browsed, such as a list of servers on a network, or a list of printers displayed in the Add Printer wizard.
A client tool for navigating and accessing information on the Internet or an intranet. In the context of Windows networking, "browser" can also mean the Computer Browser service, a service that maintains an up-to-date list of computers on a network or part of a network and provides the list to applications when requested. When a user attempts to connect to a resource in a domain, the domain's browser is contacted to provide a list of available resources.
brute force attack
See key search attack.
An area of memory used for intermediate storage of data until it can be used.
buffer overflow attack
An attack in which an attacker exploits a weakness in a program or service to force a buffer overflow condition and then cause malicious code (provided by the attacker) to run in the computer's memory. Through a successful buffer overflow attack, an attacker can take control of the computer with the rights and permissions of the system and the logged--on user.
bulk encryption
A process in which large amounts of data, such as files, e-mail messages, or online communications sessions, are encrypted for confidentiality. It is usually done with a symmetric key algorithm. See also encryption; symmetric key encryption.
See broadcast and unknown server.
A communication line used for data transfer among the components of a computer system. A bus is essentially a highway that allows different parts of the system to share data.



C shell
A UNIX command processor whose programming constructs are similar to those of the C language.
C2 level of security
U.S. government security level that designates a system that has controls capable of enforcing access limitations on an individual basis. In a C2 system, the owner of a system resource has the right to decide who can access it, and the operating system can detect when data is accessed and by whom.
cable modem
A modem that provides broadband Internet access in the range of 10 to 30 Mbps.
For DNS and WINS, a local information store of resource records for recently resolved names of remote hosts. Typically, the cache is built dynamically as the computer queries and resolves names; it helps optimize the time required to resolve queried names. See also cache file; naming service; resource record.
cache file
A file used by the Domain Name System (DNS) server to preload its names cache when service is started. Also known as the "root hints" file because resource records stored in this file are used by the DNS service to help locate root servers that provide referral to authoritative servers for remote names. For Windows DNS servers, the cache file is named Cache.dns and is located in the %systemroot%\System32\Dns folder. See also authoritative; cache; systemroot.
cache hints file
see cache file.
A special pool in memory in which recently-used data values are temporarily held for quicker subsequent accesses. For DNS, the ability of DNS servers to store information about the domain namespace learned during the processing and resolution of name queries. In Windows 2000, caching is also available through the DNS client service (resolver) as a way for DNS clients to keep a cache of name information learned during recent queries. See also caching resolver.
caching resolver
For Windows 2000, a client-side Domain Name System (DNS) name resolution service that performs caching of recently learned DNS domain name information. The caching resolver service provides system-wide access to DNS-aware programs for resource records obtained from DNS servers during the processing of name queries. Data placed in the cache is used for a limited period of time and aged according to the active Time To Live (TTL) value. You can set the TTL either individually for each resource record (RR) or default to the minimum TTL set in the start of authority RR for the zone. See also cache; caching; expire interval; minimum TTL; resolver; resource record; Time To Live (TTL).
caching-only server
A DNS name server that only performs queries, caches the answers, and returns the results. It is not authoritative for any names and does not contain any zones. It only stores data that it has cached while resolving queries. See also caching; name server; zone.
Call Manager
A software component that establishes, maintains and terminates a connection between two computers.
Callback Control Protocol (CBCP)
The Network Control Protocol for negotiating the use of callback over PPP links.
capture buffer
The maximum size of the capture file. When the capture file reaches the maximum size, the oldest frames are removed to make room for newer frames (FIFO queue).
central site
In Systems Management Server, the primary site at the top of the Systems Management Server hierarchy, to which all other sites in the system report their inventory and events.
A digital document that is commonly used for authentication and secure exchange of information on open networks, such as the Internet, extranets, and intranets. A certificate securely binds a public key to the entity that holds the corresponding private key. Certificates are digitally signed by the issuing certification authority and can be issued for a user, a computer, or a service. The most widely accepted format for certificates is defined by the ITU-T X.509 version 3 international standard. See also certification authority; private key; public key.
certificate revocation list (CRL)
A document maintained and published by a certification authority that lists certificates that have been revoked. A CRL is signed with the private key of the CA to ensure its integrity. See also certificate; certification authority.
Certificate Services
The Windows 2000 service that issues certificates for a particular CA. It provides customizable services for issuing and managing certificates for the enterprise. See also certificate; certification authority.
certificate stores
Windows 2000 stores public key objects, such as certificates and certificate revocation lists, in logical stores and physical stores. Logical stores group public key objects for users, computers, and services. Physical stores are where the public key objects are actually stored in the registry of local computers (or in Active Directory for some user certificates). Logical stores contain pointers to the public key objects in the physical stores. Users, computers, and services share many public key objects, so logical stores enable public key objects to be shared without requiring the storage of duplicates of the objects for each user, computer, or service.
certificate template
A Windows 2000 construct that profiles certificates (that is, it pre-specifies format and content) based on their intended usage. When requesting a certificate from a Windows 2000 enterprise certification authority (CA), certificate requesters are, depending on their access rights, able to select from a variety of certificate types that are based on certificate templates, such as "User" and "Code Signing". See also certificate; enterprise certification authority.
certificate trust list (CTL)
A signed list of root certification authority certificates that an administrator considers reputable for designated purposes, such as client authentication or secure e-mail. See also certificate; certification authority; root certificate; root certification authority.
Certificates console
A snap-in to the MMC. This console is used to manage certificate stores for users, computers, and services. See also certificate; certificate stores.
certification authority (CA)
An entity responsible for establishing and vouching for the authenticity of public keys belonging to users (end entities) or other certification authorities. Activities of a certification authority can include binding public keys to distinguished names through signed certificates, managing certificate serial numbers, and certificate revocation. See also certificate; public key.
Certification Authority console
A Snap-in to the MMC. This console is used to configure and manage Windows 2000 certification authorities. See also certification authority.
certification hierarchy
A model of trust for certificates in which certification paths are created through the establishment of parent-child relationships between certification authorities. See also certification authority; certification path.
certification path
An unbroken chain of trust from a certificate to the root certification authority in a certification hierarchy. See also certification hierarchy; certificate.
Certification Practices Statement (CPS)
A formal statement that describes the certification policies and practices of a certification authority. See also certification authority.
Challenge Handshake Authentication Protocol (CHAP)
A challenge-response authentication protocol for PPP connections documented in RFC 1994 that uses the industry-standard Message Digest 5 (MD5) one-way encryption scheme to hash the response to a challenge issued by the remote access server.
change journal
A feature new to Windows 2000 that tracks changes to NTFS volumes, including additions, deletions, and modifications. The change journal exists on the volume as a sparse file.
change log
See quorum log.
The robotic element of an online library unit.
character stuffing
A technique used by PPP on asynchronous links, such as analog phone lines, to prevent the occurrence of the Flag character within the PPP frame.
In a server cluster node's registry, a snapshot of the registry cluster key or of an application key. The checkpoint is written to the quorum disk when certain events take place, such as a node failure. See also cluster database.
child domain
For DNS and Active Directory, a domain located in the namespace tree directly beneath another domain name (its parent domain). For example, "example.reskit.com" is a child domain of the parent domain, "reskit.com" Child domain is also called subdomain. See also directory partition; domain; parent domain.
child object
An object that is the immediate subordinate of another object in a hierarchy. A child object can have only one immediate superior, or parent, object. In Active Directory, the schema determines what classes of objects can be child objects of what other classes of objects. Depending on its class, a child object can also be the parent of other objects. See also object; parent object.
The Macintosh desk accessory with which users select the network server and printers they want to use.
CIDR block
A block of IP addresses allocated using Classless Interdomain Routing (CIDR).
The method of forming a hidden message. The cipher is used to transform a readable message called plaintext (also sometimes called cleartext) into an unreadable, scrambled, or hidden message called ciphertext. Only someone with a secret decoding key can convert the ciphertext back into its original plaintext. See also ciphertext; plaintext; cryptography.
cipher block chaining (CBC)
A process used to hide patterns of identical blocks of data within a packet. An Initialization Vector (an initial random number) is used as the first random block to encrypt and decrypt a block of data. Different random blocks are used in conjunction with the secret key to encrypt each block.
Text that has been encrypted using an encryption key. Ciphertext is meaningless to anyone who does not have the decryption key. See also decryption; encryption; encryption key; plaintext.
A category of objects that share a common set of characteristics. Each object in the directory is an instance of one or more classes in the schema.
Class A IP address
A unicast IP address that ranges from to The first octet indicates the network, and the last three octets indicate the host on the network. See also Class B IP address; Class C IP address; IP address.
Class B IP address
A unicast IP address that ranges from to The first two octets indicate the network, and the last two octets indicate the host on the network. See also Class A IP address; Class C IP address; IP address.
Class C IP address
A unicast IP address that ranges from to The first three octets indicate the network, and the last octet indicates the host on the network. Network Load Balancing provides optional session support for Class C IP addresses (in addition to support for single IP addresses) to accommodate clients that make use of multiple proxy servers at the client site. See also Class A IP address; Class B IP address; IP address.
Class D IP address
The Internet address class designed for IP multicast addresses. The value of the first octet for Class D IP addresses and networks varies from 224 to 239.
Class E IP address
The Internet address class designed for experimental use only. The value of the first octet for Class E IP addresses and networks starts at 240.
IP addressing or routing that is based on the internet address classes.
classical IP over ATM (CLIP)
A proposed Internet standard, described in RFC 2225 and other related RFCs, that allows IP communication directly on the ATM layer. See also Asynchronous Transfer Mode; Internet Protocol.
Classless Interdomain Routing (CIDR)
A method of allocating public IP addresses that is not based on the original internet address classes. Classless Interdomain Routing (CIDR) was developed to help prevent the depletion of public IP addresses and minimize the size of Internet routing tables.
clean installation
The process of installing an operating system on a clean or empty partition of a computer's hard disk.
See plaintext.
Any computer or program connecting to, or requesting services of, another computer or program. See also server.
client access point
In Systems Management Server, a site system that provides a set of shared directories and files that create a common communication point between the site server and clients.
client request
A service request from a client to a server or, for Network Load Balancing, a cluster of computers. Network Load Balancing forwards each client request to a specific host within the cluster according to the system administrator's load-balancing policy. See also client; cluster; host; server.
Client Service for NetWare
A service included with Windows 2000 Professional that allows clients to make direct connections to resources on computers running NetWare 2.x, 3.x, 4.x, or 5.x server software.
client-side extensions
Group Policy components that, in certain cases, are responsible for implementing Group Policy on a client.
See Classical IP over ATM.
A tool that allows the incremental migration of users to a Windows 2000 environment without affecting the existing Windows NT production environment.
closed captioning
Alternative representation, usually text, of audio or graphics media that can be seen only on a specially equipped receiver.
In a server cluster, the snapshot of the startup cluster registry key stored in the local disk.
A group of independent computer systems known as nodes or hosts, that work together as a single system to ensure that mission-critical applications and resources remain available to clients. A server cluster is the type of cluster that the Cluster service implements. Network Load Balancing provides a software solution for clustering multiple computers running Windows 2000 Server that provides networked services over the Internet and private intranets. In file systems a cluster is the smallest amount of disk space that can be allocated to hold a file. All file systems used by Windows 2000 organize hard disks based on clusters, also called allocation units. The smaller the cluster size, the more efficiently a disk stores information. If no cluster size is specified during formatting, Windows 2000 picks defaults based on the size of the volume and the file system used. These defaults are selected to reduce the amount of space lost and the amount of fragmentation on the volume.
Cluster Administrator
An application (Cluadmin.exe) used to configure a cluster and its nodes, groups, and resources. Cluster Administrator can run on any member of the trusted domain regardless of whether the computer is a cluster node. See also cluster; Cluster Administrator extension; Cluster.exe; node; resource.
Cluster Administrator extension
A dynamic-link library (DLL) that enables Cluster Administrator to manage a custom resource type. A Cluster Administrator extension uses the Cluster Administrator Extension API. See also cluster; Cluster Administrator; resource.
cluster API
A collection of functions implemented by the cluster software and used by a cluster-aware client or server application, a cluster management application, or a resource DLL. The cluster API is used to manage the cluster, cluster objects, and the cluster database. See also cluster; cluster-aware application; dynamic-link library; node; resource; resource DLL.
Cluster controller
An IBM Systems Network Architecture component that manages input/output operations for clusters of terminals or attached network devices.
cluster database
The database of configuration data (cluster objects and their settings) pertinent to the cluster. This database is the product of the cluster registry key checkpoint and the changes recorded in the quorum log. A local copy of this database is maintained by all the nodes of the cluster hive in the registry. See also checkpoint; cluster hive.
cluster disk
A disk on a shared bus connected to the cluster nodes, which all the cluster nodes can access (though not at the same time).
cluster hive
In the system registry of a server cluster node, the local copy of the cluster database; the portion of the system registry on each node that contains the configuration data of a cluster. When all the cluster nodes are up, changes to the cluster hive are synchronized on all cluster nodes, and the cluster hive is identical with the cluster database. While a node is down, that node's cluster hive is not updated with cluster configuration changes, but the changes are recorded on the quorum log. At startup, the local copy might have out-of-date information. If so, it is recreated using the last checkpoint and the change records in the quorum log. See also checkpoint; cluster database.
cluster log
An optionally enabled trace record of Cluster service events on a node. Not synonymous with quorum log.
cluster object
A physical or logical unit managed by the Cluster service. Cluster objects include nodes, networks, network interfaces (see network adapter), groups, resources, and resource types.
cluster registry key
The portion of the system registry on each node that contains the property and configuration data for the cluster, nodes, and specified resources. The cluster key is synchronized on all nodes in the cluster and on the quorum disk.
Cluster service
Clussvc.exe, the primary executable of the Windows Clustering component that creates a server cluster, controls all aspects of its operation, and manages the cluster database. Each node in a server cluster runs one instance of the Cluster service.
The classification of an application or service that runs on a server cluster node, is managed as a cluster resource, and is designed to be aware of and interact with the server cluster environment. Cluster-aware applications use the Cluster API to receive status and notification information from the server cluster. See also Cluster API; cluster-unaware application; node; resource DLL.
cluster-aware application
An application or service that runs on a server cluster node and is managed as a cluster resource. Cluster-aware applications use the Cluster API to receive status and notification information from the server cluster. See also Cluster API; cluster-unaware application; node.
cluster-capable disk
A disk that can be accessed by all server cluster nodes.
cluster-unaware application
In a server cluster, the classification of an application or service that can run on a node and be managed as a cluster resource but does not support the Cluster API and therefore has no inherent knowledge of its environment. See also cluster-aware application; node.
An alternative to using Cluster Administrator to administer clusters from the Windows 2000 command prompt. Cluster.exe can be called from command scripts to automate many cluster administration tasks. See also Cluster Administrator.
cn (Common-Name)
The descriptive relative distinguished name for the schema object.
For Active Directory, an object's distinguished name presented with the root first and without the LDAP attribute tags (such as: CN= or DC=). The segments of the name are delimited with forward slashes (/). For example,CN=MyDocuments,OU=MyOU,DC=Microsoft,DC=Com is presented as microsoft.com/MyOU/MyDocuments in canonical form. For DNS, a type of resource record. See also distinguished name; Lightweight Directory Access Protocol (LDAP); canonical name (CNAME) resource record.
code signing
The process of digitally signing software code to ensure its integrity and provide assurance of its origin.
cognitive disabilities
Impairments resulting from perceptual anomalies, memory loss, and learning and developmental disabilities, such as dyslexia and Down syndrome.
In Systems Management Server, a set of resources in a site defined by membership rules. Collections are used to distribute software, view inventory on clients, and access clients for remote tool sessions.
See Component Object Model.
Comma Separated Value (CSV) scripts
Windows 2000 includes a command-line utility, CSVDE, to import directory objects using .csv files and export directory objects as .csv files. CSV scripts are targeted for ease-of-use. The first line in the script identifies the attributes in the lines that follow. Columns are separated by commas. The file format is compatible with the Microsoft Excel CSV format, so that files are easily created. Use Excel or any other tool that can read and write .csv files. A benefit of using CSVDE is that it supports Unicode.
Comma Separated Value Directory Exchange (CSVDE)
A command--line utility that allows you to import and export objects to and from Active Directory. You can not create, modify, and delete directory objects using this utility. By using this utility, objects are stored in the Microsoft Comma-Separated Value (CSV) file format. The CSV file format is supported by many other applications, such as Microsoft Excel, that can read and save data in the CSV file format. Also, Microsoft Exchange Server administration tools can import and export data using the CSV format. CSVDE can be run on a Windows 2000 server or copied to a Windows 2000 workstation.
command control block (CCB)
A specifically formatted information set used in the IBM Token Ring environment that is transmitted from the application program to the adapter support software to request an operation.
common gateway interface (CGI)
A server-side interface for initiating software services. For example a set of interfaces that describe how a Web server communicates with software on the same computer. Any software can be a CGI program if it handles input and output according to the CGI standard.
Common Internet File System (CIFS)
A protocol and a corresponding API used by application programs to request higher level application services. CIFS was formerly known as SMB (Server Message Block).
Common Programming Interface for Communications (CPIC)
A platform-independent API developed by IBM to provide portability for APPC LU 6.2-based applications.
A process that reclaims space and defragments disks to improve WINS server performance.
complementary metal-oxide semiconductor (CMOS)
The battery-packed memory that stores information, such as disk types and amount of memory, used to start the computer.
completed state
A state that indicates that media can no longer be used for write operations.
Component Object Model (COM)
An object-based programming model designed to promote software interoperability; it allows two or more applications or components to easily cooperate with one another, even if they were written by different vendors, at different times, in different programming languages, or if they are running on different computers running different operating systems. COM is the foundation technology upon which broader technologies can be built. Object linking and embedding (OLE) technology and ActiveX are both built on top of COM.
computer account objects
Objects used to identify a specific computer account in Windows NT Server 4.0 or Windows 2000 Server.
computer name
A unique name of up to 15 uppercase characters that identifies a computer to the network. The name cannot be the same as any other computer or domain name in the network.
A basic security function of cryptography. Confidentiality provides assurance that only authorized users can read or use confidential or secret information. Without confidentiality, anyone with network access can use readily available tools to eavesdrop on network traffic and intercept valuable proprietary information. For example, an Internet Protocol security service that ensures a message is disclosed only to intended recipients by encrypting the data. See also cryptography; authentication; integrity; nonrepudiation.
connection agreement
A configurable section in the ADC user interface that holds information such as the server names to contact for synchronization, object classes to synchronize, target containers, and the synchronization schedule. See also Active Directory Connector (ADC).
connection establishment delay
The delay encountered when forwarding a packet across an on-demand demand-dial connection. The delay is due to the connection establishment process, consisting of creating a physical connection and/or a logical connection and a PPP connection.
connection object
An Active Directory object that represents a replication connection from one domain controller to another. The connection object is a child of the replication destination's NTDS Settings object and identifies the replication source server, contains a replication schedule, and specifies a replication transport. Connection objects are created automatically by the Knowledge Consistency Checker, but they can also be created manually. Automatically generated connections must not be modified by the user unless they are first converted into manual connections.
A type of network protocol that requires an end-to-end virtual connection between the sender and receiver before communicating across the network.
connection-oriented communication
A network transmission service where a physical or logical link is negotiated and established prior to packet transmission.
Connection-Oriented NDIS (Co-NDIS)
A Network Driver Interface Specification that supports connection-oriented data transfer.
connection-specific DNS suffix
A DNS suffix specific to an adapter, rather than global to the computer. During the name resolution process, it is appended to an incomplete name. An incomplete name might be a single-label name or a multiple-label name that is not dot-terminated and can not be resolved as an fully qualified domain name. Connection-specific DNS suffixes can also be used for registration of the computer's name.
connection-specific domain name
A domain name specific to an adapter, rather than global to the computer. See also domain name.
A network protocol in which a sender broadcasts traffic on the network to an intended receiver without first establishing a connection to the receiver.
A framework for hosting administrative tools in the Microsoft Management Console (MMC). A console is defined by the items in its console tree, which might include folders or other containers, World Wide Web pages, and other administrative items. A console has windows that can provide views of the console tree, and the administrative properties, services, and events that are acted on by the items in the console tree.
console tree
The tree view pane in a Microsoft Management Console (MMC) that displays the hierarchical namespace. By default it is the left pane of the console window, but it can be hidden. The items in the console tree (for example, Web pages, folders, and controls) and their hierarchical organization determines the management capabilities of a console. See also Microsoft Management Console (MMC); namespace.
constant bit rate (CBR)
An ATM service type that supports constant bandwidth allocation. This service type is used for voice and video transmissions that require little or no cell loss and rigorous timing controls during transmission.
container object
An object that can logically contain other objects. For example, a folder is a container object. See also noncontainer object; object.
context switch
An event that occurs when the kernel switches the processor from one thread to another, for example, when an I/O operation causes a thread to be blocked and the operating system selects another thread to run on the processor.
The process of stabilizing a system after changes occur in the network. For routing, if a route becomes unavailable, routers send update messages throughout the internetwork, reestablishing information about preferred routes. For Network Load Balancing, a process by which hosts exchange messages to determine a new, consistent state of the cluster and to elect the host with the highest host priority, known as the default host. During convergence, a new load distribution is determined for hosts that share the handling of network traffic for specific TCP or UDP ports. See also cluster; default host; host; User Datagram Protocol (UDP).
convergence time
The time it takes for the internetwork to achieve convergence. See convergence.
A unitless metric configured on OSPF routers that indicates the preference of using a certain link.
cross-reference object
In Active Directory, an object that contains knowledge of one directory partition. Cross reference objects are used to generate referrals to other directory partitions and to foreign directories. On a specified domain controller, subject to replication latency, the combination of all cross references provides knowledge of all directory partitions in the forest, irrespective of location in the directory tree.
The art and science of breaking ciphertext. In contrast, the art and science of keeping messages secure is cryptography. See also ciphertext; cryptography; plaintext.
crypto-accelerator board
A hardware device that speeds up cryptographic operations by offloading operations to a special processor on the board.
CryptoAPI (CAPI)
An application programming interface (API) that is provided as part of Windows 2000. CryptoAPI provides a set of functions that allow applications to encrypt or digitally sign data in a flexible manner while providing protection for private keys. Actual cryptographic operations are performed by independent modules known as cryptographic service providers (CSPs). See also cryptographic service provider; private key.
cryptographic key
See encryption key.
cryptographic service provider (CSP)
An independent software module that performs cryptography operations such as secret key exchange, digital signing of data, and public key authentication. Any Windows 2000 service or application can request cryptography operations from a CSP. See also CryptoAPI.
The art and science of information security. It provides four basic information security functions: confidentiality, integrity, authentication, and nonrepudiation. See also confidentiality; integrity; authentication; nonrepudiation.
The science that encompasses both cryptography and cryptanalysis. See also cryptanalysis; cryptography.
See Comma-Separated Value Directory Exchange.
current directory
The directory being worked in currently. Also called current folder.
current working directory
The directory that a user is associated with at any given time.
custom resource type
A resource type defined by a third-party developer using the Cluster service API.
custom subnet mask
A subnet mask that is not based on the internet address classes. Custom subnet masks are commonly used when subnetting.
cyclical redundancy check (CRC)
A procedure used in checking for errors in data transmission. CRC error checking uses a complex calculation to generate a number based on the data transmitted. The sending device performs the calculation before transmission and sends its result to the receiving device. The receiving device repeats the same calculation after transmission. If both devices obtain the same result, it is assumed that the transmission was error-free. The procedure is known as a redundancy check because each transmission includes not only data but extra (redundant) error-checking values. Communications protocols such as XMODEM and Kermit use cyclical redundancy checking.



A networking program, usually associated with UNIX systems, that runs in the background performing utility functions such as housekeeping or maintenance without user intervention or awareness. Pronounced "demon".
DARPA model
The four-layer model that is used to describe the TCP/IP protocol suite. The four layers of the DoD (Department of Defense) Advanced Research Projects Agency (DARPA) model are: Application, Transport, Internet, and Network Interface.
data decryption field (DDF)
A header field, in a file encrypted by using the Encrypting File System, that contains the file encryption key encrypted with the file encryptor's public key.
Data Encryption Standard (DES)
An encryption algorithm that uses a 56-bit key, and maps a 64-bit input block to a 64-bit output block. The key appears to be a 64-bit key, but one bit in each of the 8 bytes is used for odd parity, resulting in 56 bits of usable key.
Data Link Control (DLC)
A protocol used primarily for IBM mainframe computers and printer connectivity.
data recovery field (DRF)
A header field, in a file encrypted by using the Encrypting File System, that contains the file encryption key encrypted with a recovery agent's public key.
data stream
All information transferred over a network at any given time.
data-link layer
A layer that packages raw bits from the physical layer into frames (logical, structured packets for data). This layer is responsible for transferring frames from one computer to another, without errors. After sending a frame, the data-link layer waits for an acknowledgment from the receiving computer.
Database Manager
The Cluster service component that controls access to the cluster database.
An unacknowledged packet of data sent to another network destination. The destination can be another device directly reachable on the local area network (LAN) or a remote destination reachable using routed delivery through a packet-switched network.
datagram socket
A socket using the Windows Sockets API that provides a connectionless, unreliable flow of data.
See Distributed Component Object Model.
DCOM Configuration tool
A Windows NT Server tool that can be used to configure 32-bit applications for DCOM communication over the network. See also DCOM.
dead gateway detection
The practice of the Windows 2000 TCP/IP protocol to change the default gateway to the next default gateway in the list of configured default gateways when a specific number of connections retransmit segments.
To return media to the available state after they have been used by an application.
decommissioned state
A state that indicates that media have reached their allocation maximum.
The process of making encrypted data readable again by converting ciphertext to plaintext. See also ciphertext; encryption; plaintext.
deep search
See search scope.
default gateway
A configuration item for the TCP/IP protocol that is the IP address of a directly reachable IP router. Configuring a default gateway creates a default route in the IP routing table.
default host
The host with the highest host priority for which a drainstop command is not in progress. After convergence, the default host handles all of the network traffic for TCP and UDP ports that are not otherwise covered by port rules. See also convergence; drainstop; host priority; port rule; User Datagram Protocol.
default network
In the Macintosh environment, the physical network on which the processes of the server reside as nodes and on which the server appears to users. The default network of the server must be one to which that server is attached. Only servers on AppleTalk Phase 2 internets have default networks.
default printer
The printer to which a computer sends documents if the Print command is selected without first specifying which printer to use with a program.
default route
A route that is used when no other routes for the destination are found in the routing table. For example, if a router or end system cannot find a network route or host route for the destination, the default route is used. The default route is used to simplify the configuration of end systems or routers. For IP routing tables, the default route is the route with the network destination of and netmask of
default subnet mask
A subnet mask that is used on an Internet Address Class-based network. The subnet mask for Class A is The subnet mask for Class B is The subnet mask for Class C is
default zone
The zone to which all Macintosh clients on a network are assigned by default.
The distinguished name of the classSchema object for the class that should be used by default as the objectCategory for new instances of this class. This is an indexed property used to make object class searches fast and efficient.
By default, defaultObjectCategory is set to the distinguished name of the classSchema object for this class. If this object will be frequently queried by the value of a super class rather than the object's own class, the defaultObjectCategory can be defined in the schema to the desired value.
If you are sub-classing a structural class, best practice is to set this to the same value as the superclass. This allows the standard UI to "find" your sub-class.
deferred procedure call (DPC)
A kernel-defined control object type that represents a procedure that is to be called later. A DPC runs at DISPATCH_LEVEL IRQL. A DPC can be used when a timer event occurs or when an ISR needs to perform more work but should do so at a lower interrupt request level than the one at which an ISR executes. In an SMP environment, a DPC might run immediately on a processor other than the current one, or might run after another interrupt has run on the current processor.
The process of rewriting parts of a file to contiguous sectors on a hard disk to increase the speed of access and retrieval. When files are updated, the computer tends to save these updates on the largest continuous space on the hard disk, which is often on a different sector than the other parts of the file. When files are thus fragmented, the computer must search the hard disk each time the file is opened to find all of the parts of the file, which slows down response time. In Active Directory, defragmentation rearranges how the data is written in the directory database file to compact it. See also fragmentation.
The ability to assign responsibility for management and administration of a portion of the namespace to another user, group, or organization. For DNS, a name service record in the parent zone that lists the name server authoritative for the delegated zone. See also inheritance; parenting.
delegation wizard
A wizard used to distribute precise elements of the administrator's workload to others.
demand-dial connection
A connection, typically using a circuit-switched wide area network link, that is initiated when data needs to be forwarded. The demand-dial connection is typically terminated when there is no traffic.
demand-dial filter
An IP packet filter that specifies what types of TCP/IP traffic either creates the connection or ignores it for the purposes of creating the connection.
demand-dial interface
A logical interface that represents a demand-dial connection (a PPP link) that is configured on the calling router. The demand-dial interface contains configuration information such as the port to use, the addressing used to create the connection (such as a phone number), authentication and encryption methods, and authentication credentials.
demand-dial routing
Routing that makes dial-up connections to connect networks based on need. For example, a branch office with a modem that dials and establishes a connection only when there is network traffic from one office to another.
The action of forwarding a packet to the proper process, such as when an IPX packet arrives at its destination and is handed to the IPX protocol.
denial-of-service attack
An attack in which an attacker exploits a weakness or a design limitation of a network service to overload or halt the service, so that the service is not available for use. This type of attack is typically launched to prevent other users from using a network service such as a Web server or a file server.
In clustering, the state in which one resource must be online before a second resource can come online.
dependency tree
A discrete set of resources that are connected to each other by dependency relationships. All resources in a specified dependency tree must be members of a single group. See also dependency; resource.
designated router (DR)
An OSPF router that forms adjacencies with all other routers on a multiple access network.
desired free space
The amount of free space that should be maintained on a volume at all times during normal use.
The on-screen work area in which windows, icons, menus, and dialog boxes appear.
Any piece of equipment that can be attached to a network or computer, for example, a computer, printer, joystick, adapter or modem card, or any other peripheral equipment. Devices normally require a device driver to function with Windows 2000. See also device driver.
device driver
A program that allows a specific device, such as a modem, network adapter, or printer, to communicate with Windows 2000. Although a device can be installed on a system, Windows 2000 cannot use the device until the appropriate driver has been installed and configured. If a device is listed in the Hardware Compatibility List (HCL), a driver is usually included with Windows 2000. Device drivers load (for all enabled devices) when a computer is started, and thereafter run invisibly. See also Hardware Compatibility List (HCL).
device fonts
Fonts that reside in your printer. They can be built into the printer itself or provided by a font cartridge or font card. See also printer fonts.
See Distributed file system.
Dfs link
Part of the Distributed file system (Dfs) topology that lies below the Dfs root and forms a connection to one or more shared folders or another Dfs root. It does this by mapping a DNS name to the standard UNC of the target shared folder.
Dfs root
A Server Message Block share at the top of the Dfs topology that is the starting point for the links and shared files that make up the Dfs namespace. A Dfs root can be defined at the domain level, for domain-based operation, or at the server level, for stand-alone operation. Domain-based Dfs can have multiple roots in the domain but only one root on each server. See also namespace.
Dfs shared folder
Files or folders in the Dfs namespace that are shared by users with proper permissions. Shared folders can exist at the root level (domain-based Dfs only) or be referred to by Dfs links.
Dfs topology
The overall logical hierarchy of a Distributed file system, including elements such as roots, links, shared folders, and replica sets, as depicted in the Dfs administrative console. This is not to be confused with the Dfs namespace, which is the logical view of shared resources seen by users.
See Dynamic Host Configuration Protocol.
DHCP Manager
The primary tool used to manage DHCP servers. The DHCP Manager is a Microsoft Management Console (MMC) tool that is added to the Administrative Tools menu when the DHCP service is installed.
DHCP relay agent
A routing component that transfers messages between DHCP clients and DHCP service located on separate networks.
DHCP service
A service, that enables a computer to function as a DHCP server and configure DHCP-enabled clients on a network. DHCP runs on a server, enabling the automatic, centralized management of IP addresses and other TCP/IP configuration settings for a network's clients.
dialog box
A window that is displayed to request or supply information. Many dialog boxes have options which must be selected before Windows NT can carry out a command.
dictionary attack
An attack in which an attacker tries known words in the dictionary and numerous common password names in an attempt to "guess" the password. Because most users prefer easily remembered passwords, dictionary attacks are often a shortcut to finding a password in significantly less time than key search (brute force) attacks would take to find the same password. See also key search attack.
Diffie-Hellman (DH) algorithm
An algorithm that predates Rivest-Shamir-Adleman (RSA) encryption and offers better performance. It is one of the oldest and most secure algorithms used for key exchange. The two parties publicly exchange keying information, which Windows 2000 additionally protects with hash function encryption. Neither party ever exchanges the actual key; however, after their exchange of keying material, each is able to generate the identical shared key. At no time is the actual key ever exchanged.
Diffie-Hellman Groups
Groups used to determine the length of the base prime numbers (key material) for the DH exchange. The strength of any key derived from a DH exchange depends in part on the strength of the DH group the primes are based upon.
Diffie-Hellman Key Agreement
See Diffie-Hellman (DH) algorithm.
digital certificate
See certificate.
digital signature
A means for originators of a message, file, or other digitally--encoded information to bind their identity to the information. The process of digitally signing information entails transforming the information, as well as some secret information held by the sender, into a tag called a signature. Digital signatures are used in public key environments and they provide nonrepudiation and integrity services. See also public key cryptography.
Digital Signature Algorithm (DSA)
See Digital Signature Security Standard.
Digital Signature Security Standard (DSS)
A standard that uses the Digital Signature Algorithm (DSA) for its signature algorithm and SHA-1 as its message hash algorithm. DSA is a public key algorithm that is used only to generate digital signatures and cannot be used for data encryption. Digital Signature Standard is also called DSS.
direct delivery
The delivery of an IP packet by an IP node to the final destination on a directly attached network.
direct hosting
A feature that allows Windows 2000 computers using Microsoft file and print sharing to communicate over IPX, bypassing the NetBIOS layer.
direct memory access (DMA)
Memory access that does not involve the microprocessor. DMA is frequently used for data transfer directly between memory and a peripheral device, such as a disk drive.
An information source that contains information about computer files or other objects. In a file system, a directory stores information about files. In a distributed computing environment (such as a Windows 2000 domain), the directory stores information about objects such as printers, applications, databases, and users.
directory partition
A contiguous subtree of Active Directory that is replicated as a unit to other domain controllers in the forest that contain a replica of the same subtree. In Active Directory, a single server always holds at least three directory partitions: schema, (class and attribute definitions for the directory); configuration (replication topology and related metadata); domain (subtree that contains the per-domain objects for one domain). The schema and configuration directory partitions are replicated to every domain controller in a specified forest. A domain directory partition is replicated only to domain controllers for that domain. In addition to a full, writable replica of its own domain directory partition, a Global Catalog server also holds partial, read-only replicas of all other domain directory partitions in the forest. See also full replica; Global Catalog; partial replica.
directory service
Both the directory information source and the service that make the information available and usable. A directory service enables the user to find an object given any one of its attributes. See also Active Directory; directory.
directory store
The physical storage for Active Directory directory partition replicas on a given domain controller. The store is implemented using the Extensible Storage Engine.
directory system agent (DSA)
The process that manages and provides access to stored directory information.
directory tree
A hierarchy of objects and containers in a directory that can be viewed graphically as an upside-down tree, with the root object at the top. Endpoints in the tree are usually single (leaf) objects, and nodes in the tree, or branches, are container objects. A tree shows how objects are connected in terms of the path from one object to another. A simple tree is a single container and its objects. A contiguous subtree is any unbroken path in the tree, including all the members of any container in that path.
To make a device nonfunctional. For example, if a device in a hardware profile is disabled, the device cannot be used while using that hardware profile. Disabling a device frees the resources that were allocated to the device.
disabled user account
A user account that does not permit logging on. The account appears in the user account list of Local Users and Groups or Active Directory Users and Computers and can be re-enabled by a member of the Administrators group at any time. See also user account.
disconnected placeholder
A placeholder whose file contents have been removed from remote storage. A disconnected placeholder could have been restored from backup after the space in remote storage was reclaimed, or the data within remote storage is physically unavailable (for example, because of a media failure).
discontiguous namespace
Namespace that is based on different DNS root domain names, such as that of multiple trees in the same forest. See also flat namespace; hierarchical namespace; namespace.
A process by which the Windows 2000 Net Logon service attempts to locate a domain controller running Windows 2000 Server in the trusted domain. Once a domain controller has been discovered, it is used for subsequent user account authentication. For SNMP, dynamic discovery is the identification of devices attached to an SNMP network.
discretionary access control list (DACL)
The part of an object's security descriptor that grants or denies specific users and groups permission to access the object. Only the owner of an object can change permissions granted or denied in a DACL; thus access to the object is at the owner's discretion. See also access control entry; object; security descriptor; system access control list.
disjoint networks
Networks that are separate and unaware of each other.
disjointed subnet
Subnets of a subnetted IP network ID that are not contiguous (connected by the same routers).
A physical data storage device attached to a computer. See also basic disk; dynamic disk.
disk bottleneck
A condition that occurs when disk performance is reduced to the extent that overall system performance is affected.
disk quota
The maximum amount of disk space available to a user.
display adapter
An expansion board that plugs into a personal computer to give it display capabilities. A computer's display capabilities depend on both the logical circuitry (provided in the video adapter) and the monitor. Each adapter offers several different video modes. The two basic categories of video modes are text and graphic. Within the text and graphic modes, some monitors also offer a choice of resolutions. At lower resolutions a monitor can display more colors. Modern adapters contain memory, so that the computer's RAM is not used for storing displays. In addition, most adapters have their own graphics coprocessor for performing graphics calculations. These adapters are often called graphics accelerators. See also network adapter.
display specifiers
Objects in Active Directory that store localized graphical user interface information. Display specifiers enable the graphical user interface to be extended for each class of object in Active Directory.
distance vector
A routing protocol technology in which routing information is advertised as a series of network IDs and their distance in hops from the advertising router. Routing information exchanged between typical distance vector-based routers is unsynchronized and unacknowledged.
distinguished name
A name that uniquely identifies an object by using the relative distinguished name for the object, plus the names of container objects and domains that contain the object. The distinguished name identifies the object as well as its location in a tree. Every object in Active Directory has a distinguished name. An example of a distinguished name is CN=MyName,CN=Users,DC=Reskit,DC=Com.
This distinguished name identifies the "MyName" user object in the reskit.com domain.
Distributed Component Object Model (DCOM)
The Microsoft Component Object Model (COM) specification that defines how components communicate over Windows-based networks. Use the DCOM Configuration tool to integrate client/server applications across multiple computers. DCOM can also be used to integrate robust Web browser applications. See also DCOM Configuration tool.
Distributed Data Management (DDM)
An underlying database architecture provided by the host system, used by IBM.
distributed DHCP
A DHCP scenario in which IP addresses are distributed across a site boundary.
Distributed file system (Dfs)
A Windows 2000 service consisting of software residing on network servers and clients that transparently links shared folders located on different file servers into a single namespace for improved load sharing and data availability.
distributed processing
A computing environment that contains a client and a server. This structure allows the workload to be divided into parts yet appear as a single process.
Distributed Relational Database Architecture (DRDA)
An IBM distributed database protocol that provides access to IBM DB2 relational database programs on IBM host platforms including IBM Multiple Virtual Storage (MVS) and AS/400 systems.
distribution folder
The folder created on the Windows 2000 distribution server to contain the Setup files.
distribution point
In Systems Management Server, a site system with the distribution point role that stores package files received from a site server. Systems Management Server clients contact distribution points to obtain programs and files after they detect that an advertised application is available from a client access point.
distribution point group
In Systems Management Server, a set of distribution points that can be managed as a single entity.
See Domain Name System.
DNS Notify
A revision to the DNS standard (RFC 1996) that proposes that the master server for a zone notify certain secondary servers for that zone of changes, and the secondary servers can then check to see whether they need to initiate a zone transfer. See also master server; secondary server.
DNS resolver
A component of the TCP/IP protocol that sends Domain Name System (DNS) queries to a DNS server.
DNS server
A computer that runs DNS server programs containing name-to-IP address mappings, IP address-to-name mappings, information about the domain tree structure, and other information. DNS servers also attempt to resolve client queries.
DNS suffix
For DNS, an optional parent domain name that can be appended to the end of a relative domain name that is used in a name query or host lookup. The DNS suffix can be used to complete an alternate fully qualified DNS domain name to be searched when the first attempt to query a name fails.
DNS suffix search list
A list of domain names specified on the DNS tab of the Advanced TCP/IP Settings page. During name resolution, the resolver appends these domain names one by one to form a fully qualified domain name.
An administrative unit in a computer network that groups together a number of capabilities for management convenience, including:
  • Network-wide user identity. Domains allow user identities to be created once and referenced on any computer joined to the forest in which the domain is located. Domain controllers that make up a domain are used to store user accounts and user credentials such as passwords or certificates securely.
  • Authentication. Domain controllers provide authentication services for users and supply additional authorization data, such as user group memberships, which can be used to control access to resources on the network.
  • Trust relationships. Domains can extend authentication services to users in domains outside their own forest by means of trusts.
  • Policy administration. The domain is a scope of administrative policies, such as password complexity and password reuse rules.
  • Replication. The domain defines a partition of the directory tree that provides data adequate to provide the required services and replicates it between the domain controllers. In this way, all domain controllers are peers in a domain and are managed as a unit.
domain consolidation
The process of combining two or more domains into a larger domain.
domain controller
For a Windows NT Server or Windows 2000 Server domain, the server that authenticates domain logons and maintains the security policy and the security accounts master database for a domain. Domain controllers manage user access to a network, which includes logging on, authentication, and access to the directory and shared resources.
domain controller discovery
A process by which the Net Logon service attempts to locate a domain controller that is running Windows NT Server in the trusted domain. After a domain controller has been discovered, it is used for subsequent user account authentication.
domain controller locator (Locator)
An algorithm that runs in the context of the Net Logon service and that finds domain controllers on a Windows 2000 network. Locator can find domain controllers by using DNS names (for IP/DNS-compatible computers) or by using NetBIOS names (for computers that are running Windows 3.x, Windows for Workgroups, Windows NT 3.5 or later, Windows 95, or Windows 98, or it can be used on a network where IP transport is not available).
domain hierarchy
The parent-child tree structure of domains.
domain local group
A Windows 2000 group only available in native mode domains and can contain members from anywhere in the forest, in trusted forests, or in a trusted pre-Windows 2000 domain. Domain local groups can only grant permissions to resources within the domain in which they exist. Typically, domain local groups are used to gather security principals from across the forest to control access to resources within the domain.
domain migration
The process of moving accounts, resources, and their associated security objects from one domain structure to another.
domain name
In Windows 2000 and Active Directory, the name given by an administrator to a collection of networked computers that share a common directory. For DNS, domain names are specific node names in the DNS namespace tree. DNS domain names use singular node names, known as "labels," joined together by periods (.) that indicate each node level in the namespace. See also Domain Name System (DNS); namespace.
domain name label
Each part of a full DNS domain name that represents a node in the domain namespace tree. Domain names are made up of a sequence of labels, such as the three labels ("noam," "reskit," and "com") that make up the DNS domain name "noam.reskit.com." Each label used in a DNS name must have 63 or fewer characters.
Domain Name System (DNS)
A hierarchical naming system used for locating domain names on the Internet and on private TCP/IP networks. DNS provides a service for mapping DNS domain names to IP addresses, and vice versa. This allows users, computers, and applications to query the DNS to specify remote systems by fully qualified domain names rather than by IP addresses. See also domain; Ping.
domain namespace
The database structure used by the Domain Name System (DNS). See also Domain Name System (DNS).
domain naming master
The domain controller that has the domain naming master role is the only domain controller that can do the following: Add new domains to the forest; Remove existing domains from the forest; Add or remove cross-reference objects to external directories. See also Active Directory; domain controller; multimaster replication; operations master; replication.
domain restructure
The process of reorganizing one domain structure into another that typically results in the accounts, groups, and trusts being altered.
domain tree
In DNS, the inverted hierarchical tree structure that is used to index domain names. Domain trees are similar in purpose and concept to the directory trees used by computer filing systems for disk storage. See also domain name; namespace.
domain upgrade
The process of replacing an earlier operating system version on the computers in a domain with a later version.
domain-based Dfs
An implementation of Dfs that stores its configuration information in Active Directory. Because this information is made available on every domain controller in the domain, domain-based Dfs provides high availability for any distributed file system in the domain. A domain-based Dfs root has the following characteristics: it must be hosted on a domain member server, it has its topology published automatically to Active Directory, it can have root-level shared folders and it supports root and file replication through File Replication service.
dots per inch (DPI)
The standard used to measure screen and printer resolution, expressed as the number of dots that a device can display or print per linear inch. The greater the number of dots per inch, the better the resolution.
dotted decimal notation
The format of an IP address after it is divided along byte boundaries, converted to decimal (Base 10 numbering system), and separated by periods (.). (Example:
For Network Load Balancing, a program that disables new traffic handling for the rule whose port range contains the specified port. All ports specified by the port rule are affected. See also drainstop; port rule.
For Network Load Balancing, a tool that disables all new traffic handling on the specified hosts. The hosts then enter the draining mode to complete existing connections. While draining, hosts remain in the cluster and stop their cluster operations when there are no more active connections. You can terminate draining mode by explicitly stopping cluster mode with the stop command or by restarting new traffic handling with the start command. To drain connections from a specific port, use the drain command. See also drain.
dump file
A file used to store data in memory in case of failure.
A system capable of transmitting information in both directions over a communications channel. See also full-duplex; half-duplex.
DVD decoder
A hardware or software component that allows a digital video disc (DVD) drive to display movies on your computer screen. See also DVD disc; DVD drive.
DVD disc
A type of optical disc storage technology. A digital video disc (DVD) looks like a CD-ROM disc, but it can store greater amounts of data. DVD discs are often used to store full-length movies and other multimedia content that requires large amounts of storage space. See also DVD decoder; DVD drive.
DVD drive
A disk storage device that uses digital video disc (DVD) technology. A DVD drive reads both CD-ROM and DVD discs; however, a DVD decoder is necessary to display DVD movies on your computer screen. See also DVD decoder; DVD disc.
Dvorak keyboard
An alternative keyboard with a layout that makes the most frequently typed characters more accessible to people who have difficulty typing on the standard QWERTY layout.
A data type composed of hexadecimal data with a maximum allotted space of 4 bytes.
dynamic disk
A physical disk that is managed by Disk Management. Dynamic disks can contain only dynamic volumes (that is, volumes created by using Disk Management). Dynamic disks cannot contain partitions or logical drives, nor can they be accessed by MS-DOS. See also dynamic volume; partition.
Dynamic Host Configuration Protocol (DHCP)
A networking protocol that provides safe, reliable, and simple TCP/IP network configuration and offers dynamic configuration of Internet Protocol (IP) addresses for computers. DHCP ensures that address conflicts do not occur and helps conserve the use of IP addresses through centralized management of address allocation.
dynamic ports
Ports in the range from 49151 - 65535 that are issued on a randomly numbered basis.
dynamic priority
The priority value to which a thread's base priority is adjusted to optimize scheduling.
dynamic re-keying
A method used by IPSec policy to control how often a new key is generated during the communication. The communication is sent in blocks, and each block of data is secured with a different key. This prevents an attacker who has obtained part of a communication and the corresponding session keys from obtaining the rest of the message.
dynamic router
A router with dynamically configured routing tables. Dynamic routing consists of routing tables that are built and maintained automatically through an ongoing communication between routers. This communication is facilitated by a routing protocol. Except for their initial configuration, dynamic routers require little ongoing maintenance, and therefore can scale to larger internetworks.
dynamic routing
The use of routing protocols to update routing tables. Dynamic routing responds to changes in the internetwork topology.
dynamic update
An updated specification to the Domain Name System (DNS) standard that permits hosts that store name information in DNS to dynamically register and update their records in zones maintained by DNS servers that can accept and process dynamic update messages.
dynamic volume
A logical volume that is created using Disk Management. Dynamic volumes include simple, spanned, striped, mirrored, and RAID-5 volumes. Dynamic volumes must be created on dynamic disks. See also dynamic disk; volume.
dynamic-link library (DLL)
A feature of the Microsoft Windows family of operating systems and the OS/2 operating system. DLLs allow executable routines, generally serving a specific function or set of functions, to be stored separately as files with .dll extensions, and to be loaded only when needed by the program that calls them.



See Extensible Authentication Protocol.
EAP type
A specific EAP authentication scheme. Once the use of EAP is determined, the specific EAP type must be negotiated and performed.
See Encrypting File System.
election datagram
A specific datagram generated by computers on Microsoft networks to initiate elections in the browser system.
embedded object
Information created in another application that has been pasted inside a document. When information is embedded, you can edit it in the new document by using toolbars and menus from the original program. When you double-click the embedded icon, the toolbars and menus from the program used to create the information appear. Embedded information is not linked to the original file. If you change information in one place, it is not updated in the other. See also linked object.
emergency repair disk (ERD)
A disk, created by the Backup utility, that contains copies of three of the files stored in the %SystemRoot%/Repair folder, including Setup.log that contains a list of system files installed on the computer. This disk can be used during the Emergency Repair Process to repair your computer if it will not start or if your system files are damaged or erased.
emulated local area network (ELAN)
A logical network initiated by using the mechanisms defined by LAN emulation. This could include ATM and previously attached end stations.
emulator modules
Software components that allow applications written to NetBIOS and Windows Sockets interfaces to connect to the Transport Driver Interface.
To make a device functional. For example, if a device in your hardware configuration settings is enabled the device is available for use when your computer uses that hardware configuration.
encapsulating security payload (ESP)
An IPSec protocol that provides confidentiality, in addition to authentication, integrity, and anti-replay. ESP can be used alone, in combination with AH, or nested with the Layer Two Tunneling Protocol (L2TP). ESP does not normally sign the entire packet unless it is being tunneled-ordinarily, just the data payload is protected, not the IP header.
See tunneling.
encrypted data recovery agent account
An account that can be used to decrypt a file encrypted by using the Encrypting File System (EFS) if the file owner's decryption key becomes unavailable.
encrypted password
A password that is scrambled. Encrypted passwords are more secure than plaintext passwords, which are susceptible to network sniffers.
Encrypting File System (EFS)
A new feature in Windows 2000 that protects sensitive data in files that are stored on disk using the NTFS file system. It uses symmetric key encryption in conjunction with public key technology to provide confidentiality for files. It runs as an integrated system service, which makes EFS easy to manage, difficult to attack, and transparent to the file owner and to applications.
The process of disguising a message or data in such a way as to hide its substance.
Encryption Control Protocol (ECP)
The Network Control Protocol for negotiating the use of encryption over PPP links. ECP is documented in RFC 1968.
encryption key
A bit string that is used in conjunction with an encryption algorithm to encrypt and decrypt data. See also public key; private key; symmetric key.
end system
A network device without the ability to forward packets between portions of a network. See also host.
end-to-end encryption
Data encryption between the client application and the server hosting the resource or service being accessed by the client application.
Enhanced Integrated Drive Electronics (EIDE)
An extension of the IDE standard, EIDE is a hardware interface standard for disk drive designs that houses control circuits in the drives themselves. It allows for standardized interfaces to the system bus, while providing for advanced features, such as burst data transfers and direct data access.
enterprise certification authority
A Windows 2000 certification authority that is fully integrated with Active Directory. See also certification authority; stand-alone certification authority.
The lowest level element in the registry. Entries appear in the right pane of a Registry Editor window. Each entry consists of an entry name, its data type and its value.
They store the actual configuration data that affects the operating system and programs that run on the system. As such, they are different from registry keys and subkeys, which are containers.
environment variable
A string consisting of environment information, such as a drive, path, or filename, associated with a symbolic name that can be used by Windows NT and Windows 2000. Use the System option in Control Panel or the set command from the command prompt to define environment variables.
ephemeral ports
Ports in the range from 1024 - 5000.
error detection
A technique for detecting when data is lost during transmission. This allows the software to recover lost data by requesting that the transmitting computer retransmit the data.
Any significant occurrence in the system or an application that requires users to be notified or an entry to be added to a log.
Event Log
The file in which event logging entries are recorded.
event logging
The Windows 2000 process of recording an audit entry in the audit trail whenever certain events occur, such as services starting and stopping or users logging on and off and accessing resources. You can use Event Viewer to review Services for Macintosh events as well as Windows 2000 events.
event types
Errors, basic actions with time stamps or device problems.
everyone category
In the Macintosh environment, one of the user categories to which permissions for a folder are assigned. Permissions granted to everyone apply to all users who use the server, including guests.
expire interval
For DNS, the number of seconds that DNS servers operating as secondary masters for a zone use to determine if zone data should be expired when the zone is not refreshed and renewed. See also zone.
explicit trust relationship
A trust relationship from Windows NT in which an explicit link is made in one direction only. Explicit trusts can also exist between Windows NT domains and Windows 2000 domains, and between forests.
In NFS, to make a file system available by a server to a client for mounting.
Extended Industry Standard Architecture (EISA)
A 32-bit bus standard introduced in 1988 by a consortium of nine computer-industry companies. EISA maintains compatibility with the earlier Industry Standard Architecture (ISA) but provides for additional features.
extended partition
A portion of a basic disk that can contain logical drives. To have more than four volumes on your basic disk, you need to use an extended partition. Only one of the four partitions allowed per physical disk can be an extended partition, and no primary partition needs to be present to create an extended partition. You can create extended partitions only on basic disks. See also basic disk; logical drive; partition; primary partition; unallocated space.
Extensible Authentication Protocol (EAP)
An extension to PPP that allows for arbitrary authentication mechanisms to be employed for the validation of a PPP connection.
Extensible Storage Engine
The Active Directory database engine. ESE (Esent.dll) implements a transacted database system, which means that it uses log files to ensure that committed transactions are safe.
extension-type association
The association of an MS-DOS file name extension with a Macintosh file type and file creator. Extension-type associations allow users of the personal computer and Macintosh versions of the same program to share the same data files on the server. Services for Macintosh has many predefined extension-type associations.
external namespace
A public namespace that anyone on the Internet can view.
external network number
A 4-byte hexadecimal number used for addressing and routing purposes. The external network number is associated with physical network adapters and networks. To communicate with each other, all computers on the same network that use a given frame type must have the same external network number. All external network numbers must be unique to the IPX internetwork. See also internal network number; Internetwork Packet Exchange (IPX).
external reference
In Active Directory, knowledge about a referral location that is external to the forest. Virtual containers and foreign containers are external references.
external route
A route that is not within an OSPF autonomous system.
external trust relationship
A manually--created trust relationship between Windows 2000 domains that are in different forests or between a Windows 2000 domain and a domain whose domain controller is running Windows NT 4.0 or earlier.
extinction interval
A WINS database value that establishes how long entries linger in the released and tombstoned states.
A limited subset of computers or users on a public network, typically the Internet, that are able to access an organization's internal network. Typically the computers or users belong to partner organizations.
eye-gaze pointing device
An input device that uses vision to control an on-screen cursor that allows users to press on-screen buttons in dialog boxes, to choose menu items, and select cells or text.



factoring attack
An attack on a public key encryption algorithm in which the attacker tries all possible factors to discover the private key of a public/private key pair. This attack is similar to the key search attack that can be conducted on symmetric key encryption algorithms, but the number of possible factors varies depending on the public key algorithm.
failback (v., fail back)
In a server cluster, the moving of a failed-over group to the next node on the group's Preferred Owners list. See also failover; node; resource.
failover (v., fail over)
In a server cluster, the means of providing high availability. Upon failure, either of a resource in a group or of the node where the group is online, the Cluster service takes the group offline on that node, and then brings it online on another node. See also node; resource.
fast zone transfer
A form of zone transfer in which more than one resource record can be sent in one message.
See file allocation table.
A derivative of the file allocation table file system. FAT32 supports smaller cluster sizes than FAT, which results in more efficient space allocation on FAT32 drives. See also file allocation table (FAT); NTFS file system.
fault tolerance
The assurance of data integrity when hardware failures occur. On the Windows NT and Windows 2000 platforms, fault tolerance is provided by the Ftdisk.sys driver.
See Fiber Distributed Data Interface.
Fiber Distributed Data Interface (FDDI)
A type of network media designed to be used with fiber-optic cabling. See also LocalTalk; Token Ring.
First in, first out.
file allocation table (FAT)
A file system based on a file allocation table (FAT) maintained by some operating systems, including Windows NT and Windows 2000, to keep track of the status of various segments of disk space used for file storage.
file creator
A four-character sequence that tells the Macintosh Finder the name of the program that created a file. In Services for Macintosh, extension-type associations can be created that map personal computer file name extensions to Macintosh file creators and file types. These associations allow both Windows and Macintosh users to share the same data files on the server. See also extension-type association.
File Replication service
A multithreaded replication engine that allows simultaneous replication of files between different computers. File Replication service replaces the LMRepl service that is used in Microsoft Windows NT.
file server
A server that provides organization-wide access to files, programs, and applications.
File Server for Macintosh
A Services for Macintosh service that allows Macintosh clients and Windows clients to share files. Also called MacFile.
file system
In an operating system, the overall structure in which files are named, stored, and organized. NTFS, FAT, and FAT32 are types of file systems.
File Transfer Protocol (FTP)
A protocol that defines how to transfer files from one computer to another over the Internet. FTP is also a client/server application that moves files using this protocol.
In IPSec, a rule that provides the ability to trigger security negotiations for a communication based on the source, destination, and type of IP traffic. See also search filter.
Filter Actions
An IPSec negotiation policy that sets the security requirements for the IPSec SA, or Phase 2 of the communication. These requirements are specified in a list of security methods contained in the filter action, including which algorithms, security protocols, and key properties are to be used.
filtering mode
For Network Load Balancing, the method by which network traffic inbound to a cluster is handled by the hosts within the cluster. Traffic can either be handled by a single server, load balanced among the hosts within the cluster, or disabled completely. See also server.
A Windows 2000 accessibility feature that allows people with physical disabilities to adjust keyboard response time. See also BounceKeys; RepeatKeys; SlowKeys.
In IP and IPX packet filtering, a series of definitions that indicate to the router the type of traffic allowed or disallowed on each interface.
finite state machine
A computer, or operating system, in which a set of inputs determine not only the set of outputs but also the internal state of a computer, so that processing is optimized.
FIPS 140-1
A standard entitled "Security Requirements for Cryptographic Modules." FIPS 140-1 describes government requirements that hardware and software cryptomodules must meet for Sensitive, but Unclassified (SBU) use. FIPS 140-1 is also called Federal Information Processing Standard 140-1.
A combination of hardware and software that provides a security system, usually to prevent unauthorized access from outside to an internal network or intranet. A firewall prevents direct communication between network and external computers by routing communication through a proxy server outside of the network. The proxy server determines whether it is safe to let a file pass through to the network. A firewall is also called a security-edge gateway.
flat namespace
A namespace that is unstructured and cannot be partitioned, such as the network basic input/output system (NetBIOS) namespace. In a flat namespace, every object must have a unique name. See also namespace; hierarchical namespace; noncontiguous namespace.
flat routing infrastructure
A routing infrastructure where each network segment is represented individually by a network route in the routing table. The network IDs in a flat routing infrastructure have no network/subnet structure and cannot be summarized.
Flexible Single Master Operations (FSMO)
Active Directory operations that are not permitted to occur at different places in the network at the same time. Each role controls another specific set of directory changes. For each role, only the domain controller holding that role can make the associated directory changes. For example, Active Directory performs schema updates to prevent conflicts in a single-master fashion. Only one domain controller in the entire forest, the domain controller holding the schema master role, accepts updates to schema objects. An administrator can shift the schema master role from one domain controller to another as the need arises, but at any moment only one domain controller holds the schema master role.
A stream of data sent or received by a host. Also called network traffic.
A traffic parameter that specifies the type of QoS requested. Flowspec is used to set parameters in the QoS packet scheduler.
folder redirection
A Group Policy option that allows you to redirect designated folders to the network.
A graphic design applied to a collection of numbers, symbols, and characters. A font describes a certain typeface along with other qualities such as size, spacing, and pitch.
foreground boost
A mechanism that increases the priority of a foreground application.
A collection of one or more Windows 2000 Active Directory trees, organized as peers and connected by two-way transitive trust relationships between the root domains of each tree. All trees in a forest share a common schema, configuration, and Global Catalog. When a forest contains multiple trees, the trees do not form a contiguous namespace.
Specifies the paper size (such as letter or legal) assigned to a tray on a printer. A form defines physical characteristics such as paper size and printer area margins of the paper or other print media.
A family of security products, including PCMCIA-based cards, compatible serial port devices, combination cards (such as FORTEZZA/Modem and FORTEZZA/Ethernet), server boards, and others. FORTEZZA is a registered trademark held by the National Security Agency.
forward lookup
In DNS, a query process in which the friendly DNS domain name of a host computer is searched to find its IP address. In DNS Manager, forward lookup zones are based on DNS domain names and typically hold host address (A) resource records.
A DNS server designated by other internal DNS servers to be used to forward queries for resolving external or offsite DNS domain names.
forwarding address
A field in a routing table entry that indicates the address to which a packet is forwarded. The forwarding address can be a physical address or an internetwork address.
forwarding IP address
The IP address to which a packet is being forwarded based on the destination IP address and the contents of the IP routing table.
fractional T1
A T1 line that consists of 23 B channels and 1 D channel. The single D channel is used for clocking purposes.
fragment offset
A field in the Internet Protocol (IP) header that is used to reconstruct the fragmented IP payload. The fragment offset indicates the position of the fragment relative to the original IP payload.
The scattering of parts of the same disk file over different areas of the disk. Fragmentation occurs as files on a disk are deleted and new files are added. It slows disk access and degrades the overall performance of disk operations, although usually not severely. See also defragmentation.
fragmentation and reassembly
The process used by the Internet Protocol (IP) to fragment an IP datagram into smaller packets that are reassembled by the destination host.
In synchronous communication, a package of information transmitted as a single unit from one device to another. Frame is a term most often used with Ethernet networks. A frame is similar to the packet used on other networks. See also packet.
free space
Available space that is used to create logical drives within an extended partition. See also extended partition; logical drive; unallocated space.
front-end processor (FEP)
A dedicated computer that controls communications between an IBM mainframe and the network devices that communicate with it, offloading communication processing overhead from the mainframe.
See Flexible Single Master Operations, (pronounced "fizmo")
FSMO role owner
The computer where an operation is allowed to occur is called the "FSMO role owner" for that operation. When a new FSMO role owner is selected the replication system handles synchronous transfer of FSMO role ownership and the data the FSMO protects.
See File Transfer Protocol.
full computer name
A type of FQDN. The fully qualified domain name is also known as the full computer name. The same computer could be identified by more than one FQDN. However, only the FQDN that is a concatenation of the host name and the primary DNS suffix is a full computer name.
full replica
A read and write replica of a directory partition that contains all attributes of all objects in the partition. Every domain controller has three full replicas: domain, schema, and configuration directory partitions. A full replica is also called a master replica. See also partial replica.
full zone transfer (AXFR)
The standard query type supported by all DNS servers to update and synchronize zone data when the zone is changed. When a DNS query is made using AXFR as the specified query type, the entire zone is transferred as the response. See also incremental zone transfer (IXFR); zone; zone transfer.
A system capable of simultaneously transmitting information in both directions over a communications channel. See also duplex; half-duplex.
fully qualified domain name (FQDN)
A DNS domain name that has been stated unambiguously so as to indicate with absolute certainty its location in the domain namespace tree. For example, client1.reskit.com. The FQDN is also known as a full computer name.



garbage collection interval
A measurement of time indicating how often a domain controller examines its database for expired tombstones that can be collected.
A device connected to multiple physical TCP/IP networks, capable of routing or delivering IP packets between them. A gateway translates between different transport protocols or data formats (for example, IPX and IP) and is generally added to a network primarily for its translation ability. See also IP address; IP router.
Gateway Service for NetWare
A service that creates a gateway in which Microsoft clients can access NetWare core protocol networks, such as NetWare file and print services, through a Windows 2000 server.
generic Quality of Service
A method by which a TCP/IP network can offer Quality of Service guarantees for multimedia applications. Generic Quality of Service allocates different bandwidths for each connection on an as-needed basis.
geographical domain
A type of domain named by using the 2-character country/region codes established under (ISO) 3166 of the International Organization of Standardization.
Gigabit Ethernet
The Ethernet standard that transmits data at 1billion bits per second or more.
Global Catalog
A domain controller that contains a partial replica of every domain directory partition in the forest as well as a full replica of its own domain directory partition and the schema and configuration directory partitions. The Global Catalog holds a replica of every object in Active Directory, but each object includes a limited number of its attributes. The attributes in the Global Catalog are those most frequently used in search operations (such as a user's first and last names) and those attributes that are required to locate a full replica of the object. The Global Catalog enables users and applications to find objects in Active Directory given one or more attributes of the target object, without knowing what domain holds the object. The Active Directory replication system builds the Global Catalog automatically. The attributes replicated into the Global Catalog include a base set defined by Microsoft. Administrators can specify additional properties to meet the needs of their installation.
global group
For Windows 2000 Server, a group that can be used in its own domain, in member servers and in workstations of the domain, and in trusting domains. In all those places a global group can be granted rights and permissions and can become a member of local groups. However, a global group can contain user accounts only from its own domain. See also group; local group.
globally unique identifier (GUID)
A 16-byte value generated from the unique identifier on a device, the current date and time, and a sequence number. A GUID is used to identify a particular device or component.
glue record
A record indicating the IP address of a server when delegating authority for a zone from one name server to another.
The object identifier that uniquely identifies the classSchema objects.
graphical user interface (GUI)
A display format, like that of Windows, that represents a program's functions with graphic images such as buttons and icons. GUIs allow a user to perform operations and make choices by pointing and clicking with a mouse.
gratuitous ARP
An ARP Request frame sent by a host for the host's own IP address when the TCP/IP protocol obtains addressing information. Gratuitous ARPs are used to check for duplicate IP addresses on the subnet.
A collection of users, computers, contacts, and other groups. Groups can be used as security or as e-mail distribution collections. Distribution groups are used only for e-mail. Security groups are used both to grant access to resources and as e-mail distribution lists. In a server cluster, a group is a collection of resources, and the basic unit of failover. See also domain local group; global group; native mode; universal group.
group account
A collection of user accounts. By making a user account a member of a group, the user obtains all the rights and permissions granted to the group. See also user account.
group address
An IP multicast address in the Class D range of to as defined by setting the first four high order bits of the IP address to 1110.
group memberships
The groups to which a user account belongs. Permissions and rights granted to a group are also provided to its members. In most cases, the actions a user can perform in Windows 2000 are determined by the group memberships of the user account to which the user is logged on. See also group.
group name
A unique name identifying a local group or a global group to Windows 2000. A group's name cannot be identical to any other group name or user name in its own domain or computer. See also global group; local group.
Group Policy
An administrator's tool for defining and controlling how programs, network resources, and the operating system operate for users and computers in an organization. In an Active Directory environment, Group Policy is applied to users or computers on the basis of their membership in sites, domains, or organizational units.
Group Policy object
A collection of Group Policy settings. Group Policy objects are the documents created by the Group Policy snap-in. Group Policy objects are stored at the domain level, and they affect users and computers contained in sites, domains, and organizational units. Each Windows 2000-based computer has exactly one group of settings stored locally, called the local Group Policy object.
Group Policy Security Settings
The subtrees of the Group Policy console that allow a security administrator to manually configure security levels assigned to a Group Policy object or local computer policy.
A Services for Macintosh user who does not have a user account or who does not provide a password. When a Macintosh user assigns permissions to everyone, these permissions are given to the guests and users of that group.
guest account
A built-in account used to log on to a computer running Windows 2000 when a user does not have an account on the computer or domain or in any of the domains trusted by the computer's domain.
GUI mode
The portion of Setup that uses a graphical user interface (GUI).


A NetBIOS node type that uses a hybrid of b-node and p-node to register and resolve NetBIOS names to IP addresses. An h-node computer uses a server query first and reverts to broadcasts only if direct queries fail. Windows 2000-based computers are h-node by default.
See hardware abstraction layer.
A system capable of transmitting information in only one direction at a time over a communications channel. See also duplex; full-duplex.
In the user interface, an interface added to an object that facilitates moving, sizing, reshaping, or other functions pertaining to an object. In programming, a pointer to a pointer--that is, a token that lets a program access a resource identified.
hard affinity
A mechanism by which a thread can only run on a set of processors.
hardware abstraction layer (HAL)
A thin layer of software provided by the hardware manufacturer that hides, or abstracts, hardware differences from higher layers of the operating system. Through the filter provided by the HAL, different types of hardware all look alike to the rest of the operating system. This allows Windows NT and Windows 2000 to be portable from one hardware platform to another. The HAL also provides routines that allow a single device driver to support the same device on all platforms. The HAL works closely with the kernel.
Hardware Compatibility List (HCL)
A list of the devices supported by Windows 2000, available from the Microsoft Web site.
hardware failure
A malfunction of a physical component, such as a disk head failure or memory error.
hardware inventory
The automated process that Systems Management Server uses to gather detailed information about the hardware in use on client computers in a Systems Management Server site.
hardware malfunction message
A character-based, full-screen error message displayed on a blue background. It indicates the microprocessor detected a hardware error condition from which the system cannot recover.
hardware router
A router that performs routing as a dedicated function and has specific hardware designed and optimized for routing.
hardware type
A classification for similar devices. For example, Imaging Device is a hardware type for digital cameras and scanners.
See message digest; message digest function.
hash function
See message digest; message digest function.
Hash Message Authentication Code (HMAC)
A mechanism for ensuring the data integrity of online communications that uses cryptographic message digest functions to provide online integrity checking of data that is transmitted. HMAC can be used with any iterative cryptographic message digest function, for example, MD5, SHA-1, in combination with a secret shared key. The cryptographic strength of HMAC depends on the properties of the underlying message digest function. HMAC is also called Hash-based Message Authentication Code algorithm. See also message digest; message digest function.
hash message authentication code-secure hash algorithm (HMAC-SHA)
An algorithm developed by the National Institute of Standards and Technology as described in FIPS PUB 180-1. The SHA process is closely modeled after MD5. SHA uses 79, 32-bit constants during the computation, which results in a 160-bit key that is used for integrity check.
hashing algorithm
See message digest; message digest function.
See Hardware Compatibility List.
header error check (HEC)
The fifth byte in the ATM cell header used to detect and correct errors in the ATM header.
In a server cluster or Network Load Balancing cluster, a periodic message sent between nodes to detect system failure of any node.
heartbeat thread
A thread initiated by the Windows NT Virtual DOS Machine (NTVDM) process that interrupts every 55 milliseconds to simulate a timer interrupt.
A base-16 number system whose numbers are represented by the digits 0 through 9 and the letters A (equivalent to decimal 10) through F (equivalent to decimal 15).
hierarchical namespace
A namespace, such as the DNS namespace or Active Directory namespace, that is hierarchically structured and provides rules that allow the namespace to be partitioned. See also namespace; flat namespace; noncontiguous namespace.
hierarchical routing infrastructure
A routing infrastructure where groups of network IDs can be represented as a single routing table entry through route summarization. The network IDs in a hierarchical internetwork have a network/subnet/sub-subnet structure.
hierarchical storage management (HSM)
A technology that automates storage management and lowers storage costs by automatically migrating infrequently accessed files from local storage to remote storage and recalling the files upon user demand.
high availability
The ability to keep an application or service operational and usable by clients most of the time.
high performance file system (HPFS)
The file system designed for the OS/2 version 1.2 operating system.
hop count
The value in the Transport Control field that indicates the number of IPX routers that have processed the IPX packet.
A Windows 2000 computer that runs a server program or service used by network or remote clients. For Network Load Balancing, a cluster consists of multiple hosts connected over a local area network.
host address
See host ID.
host group
The set of hosts listening for IP multicast traffic sent to a specific multicast group address.
host ID
A number used to identify an interface on a physical network bounded by routers. The host ID should be unique to the network.
host name
The name of a computer on a network. In the Windows 2000 Server Resource Kit, host name is used to refer to the first label of a fully qualified domain name. See also Hosts file.
host priority
For Network Load Balancing, a host's precedence for handling default network traffic for TCP and UDP ports. It is used if a host within the cluster goes offline, and determines which host within the cluster will assume responsibility for the traffic previously handled by the offline host. See also User Datagram Protocol (UDP).
host route
A route to a specific internetwork address (network ID and host ID). Instead of making a routing decision based on just the network ID, the routing decision is based on the combination of network ID and host ID. Host routes allow intelligent routing decisions to be made for each internetwork address. Host routes are typically used to create custom routes to control or optimize specific types of internetwork traffic. For IP routing tables, a host route has a netmask of
See Hosts file.
Hosts file
A local text file in the same format as the 4.3 Berkeley Software Distribution (BSD) UNIX/etc/hosts file. This file maps host names to IP addresses. In Windows 2000, this file is stored in the \%SystemRoot%\System32\Drivers\Etc folder. See also systemroot.
hot keys
A Windows feature that allows quick activation of specified accessibility features through a combination of keys pressed in unison.
See Hypertext Markup Language.
See Hypertext Transfer Protocol.
A network-enabled device joining communication lines at a central location, providing a common connection to all devices on the network.
A WINS server configuration that uses a central "hub" as a point of contact for many outlying WINS server "spokes" to improve convergence time.
Hypertext Markup Language (HTML)
A simple markup language used to create hypertext documents that are portable from one platform to another. HTML files are simple ASCII text files with embedded codes (indicated by markup tags) to indicate formatting and hypertext links. HTML is used for formatting documents on the World Wide Web.
Hypertext Transfer Protocol (HTTP)
The protocol used to transfer information on the World Wide Web. An HTTP address (one kind of Uniform Resource Locator [URL]) takes the form: http://www.microsoft.com.



ICMP router discovery
See router discovery.
ideal processor
A processor associated with a thread containing a default value assigned by the system, or specified by the program developer in the application code. In Windows 2000, the scheduler favors running a thread on the ideal processor that is assigned to the thread as part of the soft affinity algorithm.
An initialization subroutine that completes an action only once, even if the routine is called more than once.
See Internet Key Exchange.
illegal address
A duplicate address that conflicts with a public IP address already assigned by the InterNIC to other organizations.
A circumstance that occurs when Windows NT or Windows 2000 allows one process to take on the security attributes of another.
impersonation token
An access token that has been created to capture the security information of a client process, allowing a service to "impersonate" the client process in security operations. See also access token; primary token.
import media pool
A repository where Removable Storage puts media when it recognizes the on-media identifier (OMID), but does not have the media cataloged in the current Removable Storage database.
imported state
A state that indicates media whose label types are recognized by Removable Storage, but whose label IDs are not cataloged by Removable Storage.
in-addr.arpa domain
A special top-level DNS domain reserved for reverse mapping of IP addresses to DNS host names. See also reverse lookup; top-level domains.
inaccessible state
A state that indicates that a side of a multi-cartridge drive is in a drive, but is not in the accessible state.
inactive cluster member
In a server cluster, a node that is not running.
incompatible state
A state that indicates that media are not compatible with the library in which they were classified. This media should be immediately ejected from the library hardware unit.
incremental zone transfer (IXFR)
An alternate query type that can be used by some DNS servers to update and synchronize zone data when a zone is changed. When incremental zone transfer is supported between DNS servers, servers can keep track of and transfer only those incremental resource record changes between each version of the zone. See also full zone transfer (AXFR); zone; zone transfer.
independent software vendors (ISVs)
A third-party software developer; an individual or an organization that independently creates computer software.
index key
A sequence of attributes from a database table, whose value uniquely identifies each row in the table. Also called a key segment.
indirect delivery
The delivery of an IP packet by an IP node to an intermediate router.
infrared (IR)
Light that is beyond red in the color spectrum. While the light is not visible to the human eye, infrared transmitters and receivers can send and receive infrared signals. See also Infrared Data Association; infrared device; infrared port.
Infrared Data Association (IrDA)
A networking protocol used to transmit data created by infrared devices. Infrared Data Association is also the name of the industry organization of computer, component, and telecommunications vendors who establish the standards for infrared communication between computers and peripheral devices, such as printers. See also infrared; infrared device; infrared port.
infrared device
A computer, or a computer peripheral such as a printer, that can communicate using infrared light. See also infrared.
infrared port
An optical port on a computer that enables communication with other computers or devices by using infrared light, without cables. Infrared ports can be found on some portable computers, printers, and cameras. See also infrared device.
infrastructure master
The domain controller holding the infrastructure master role for the group's domain that is responsible for updating the cross-domain group-to-user reference to reflect the user's new name. The infrastructure master updates these references locally and uses replication to bring all other replicas of the domain up--to--date. If the infrastructure master is unavailable, these updates are delayed. See also Active Directory; domain controller; multimaster replication; operations master; replication.
The ability to build new object classes from existing object classes. The new object is defined as a subclass of the original object. The original object becomes a superclass of the new object. A subclass inherits the attributes of the superclass, including structure rules and content rules.
A UNIX system data structure that contains unique identifying information about a file.
input filter
A filter that defines the incoming traffic on a given interface that is allowed to be routed or processed by the router.
input/output (I/O) port
A channel through which data is transferred between a device and the microprocessor. The port appears to the microprocessor as one or more memory addresses that it can use to send or receive data.
insertion point
The place where text will be inserted when typed. The insertion point usually appears as a flashing vertical bar in an application's window or in a dialog box.
When referring to software, to add program files and folders to your hard disk and related data to your registry so that the software will run properly. "Installing" contrasts with "upgrading," where existing program files, folders, and registry entries are updated to a more recent version. When referring to hardware, to physically connect the device to your computer, to load device drivers onto your computer, and to configure device properties and settings. See also device driver; registry.
instantaneous counter
A type of counter that displays the most recent measurement taken by the Performance console.
integrated local management interface (ILMI)
A set of functions used to exchange configuration data in an ATM network. The ATM Call Manager in Windows ATM Services uses ILMI for many tasks, such as exchanging ATM addresses. By default, the ATM Call Manager uses ILMI on all ATM network adapters.
Integrated Services Digital Network (ISDN)
A type of phone line used to enhance WAN speeds. ISDN lines can transmit at speeds of 64 or 128 kilobits per second, as opposed to standard phone lines, which typically transmit at 28.8 kilobits per second. An ISDN line must be installed by the phone company at both the server site and the remote site. See also wide area network (WAN).
Integrated Services over slow links (ISSLOW)
A queuing mechanism used to optimize slow (low capacity) network interfaces by reducing latency. In particular, it is designed for interfaces that forward traffic to modem links, ISDN B- channels, and sub-T1 links.
A basic security function of cryptography. Integrity provides verification that the original contents of information have not been altered or corrupted. Without integrity, someone might alter information or the information might become corrupted, but the alteration can go undetected. For example, an Internet Protocol security property that protects data from unauthorized modification in transit, ensuring that the data received is exactly the same as the data sent. Hash functions sign each packet with a cryptographic checksum, which the receiving computer checks before opening the packet. If the packet-and therefore signature-has changed, the packet is discarded. See also cryptography; authentication; confidentiality; nonrepudiation.
A set of Windows 2000 features used for desktop change and configuration management. When IntelliMirror is used in both the server and client, the users' data, applications, and settings follow them when they move to another computer.
In networking, a logical device over which packets can be sent and received. In the Routing and Remote Access administrative tool, it is a visual representation of the network segment that can be reached over the LAN or WAN adapters. Each interface has a unique name. See also network adapter; local area network (LAN); routing; wide area network (WAN).
Interior Gateway Routing Protocol (IGRP)
A distance vector IP routing protocol developed by Cisco Systems, Inc.
intermediate system
A network device with the ability to forward packets between portions of a network. Bridges, switches, and routers are examples of intermediate systems.
internal namespace
A private namespace that is only used by users within an organization.
internal network number
A 4-byte hexadecimal number used for addressing and routing purposes. The internal network number identifies a virtual network inside a computer. The internal network number must be unique to the IPX internetwork. Internal network number is also called virtual network number. See also external network number; Internetwork Packet Exchange (IPX).
A worldwide public TCP/IP internetwork consisting of thousands of networks, connecting research facilities, universities, libraries, and private companies.
Two or more network segments connected by routers. Another term for internetwork. With TCP/IP, an internet can be created by connecting two or more IP networks to a multihomed computer running either Windows 2000 Server or Windows 2000 Professional. IP forwarding must be enabled to route between attached IP network segments.
Internet address class
The original Internet design of dividing the IP address space into defined classes to accommodate different sizes of networks. Address classes are no longer used on the modern Internet. See Class A IP address, Class B IP address, and Class C IP address.
Internet Assigned Numbers Authority (IANA)
An organization that delegates IP addresses and their allocation to organizations such as the InterNIC.
Internet Control Message Protocol (ICMP)
A required maintenance protocol in the TCP/IP suite that reports errors and allows simple connectivity. ICMP is used by the Ping tool to perform TCP/IP troubleshooting.
Internet Engineering Task Force (IETF)
An open community of network designers, operators, vendors, and researchers concerned with the evolution of Internet architecture and the smooth operation of the Internet. Technical work is performed by working groups organized by topic areas (such as routing, transport, and security) and through mailing lists. Internet standards are developed in IETF Requests for Comments (RFCs), which are a series of notes that discuss many aspects of computing and computer communication, focusing on networking protocols, programs, and concepts.
Internet Group Management Protocol (IGMP)
A protocol in the TCP/IP protocol suite that is responsible for the management of IP multicast group membership.
Internet Information Services (IIS)
Software services that support Web site creation, configuration, and management, along with other Internet functions. Internet Information Services include Network News Transfer Protocol (NNTP), File Transfer Protocol (FTP), and Simple Mail Transfer Protocol (SMTP). See also File Transfer Protocol (FTP); Network News Transfer Protocol (NNTP); Simple Mail Transfer Protocol (SMTP).
Internet Key Exchange (IKE)
A protocol that establishes the security association and shared keys necessary for two parties to communicate with Internet Protocol security.
internet layer
A layer of the TCP/IP DARPA model that is responsible for addressing, packaging, and routing functions.
Internet Multicast Backbone
The portion of the Internet that supports multicast routing and forwarding of Internet-based IP multicast traffic. The MBone structure consists of a series of multicast-enabled islands, collections of contiguous networks, connected together using tunnels. Multicast traffic is passed from one island to another by tunneling - encapsulating the IP multicast packet with an additional IP header addressed from one router in a multicast island to another router in another multicast island.
Internet Protocol (IP)
A routable protocol in the TCP/IP protocol suite that is responsible for IP addressing, routing, and the fragmentation and reassembly of IP packets.
Internet Protocol Control Protocol (IPCP)
The Network Control Protocol for IP-based PPP connections. IPCP negotiates IP-based parameters to dynamically configure a TCP/IP-based PPP peer across a point-to-point link. IPCP is documented in RFCs 1332 and 1877.
Internet Protocol security (IPSec)
A set of industry-standard, cryptography-based protection services and protocols. IPSec protects all protocols in the TCP/IP protocol suite and Internet communications using L2TP. See also Layer Two Tunneling Protocol (L2TP).
Internet Protocol security policy
Enforces Internet Protocol security by specifying which security services are used to protect data, and for whom Internet Protocol security Management is used to administer Internet Protocol security policies. See also Internet Protocol Security.
internet router
A device that connects networks and directs network information to other networks, usually choosing the most efficient route through other routers. See also router.
Internet service provider (ISP)
A company that provides individuals or companies access to the Internet and the World Wide Web. An ISP provides a telephone number, a user name, a password and other connection information so users can connect their computers to the ISP's computers. An ISP typically charges a monthly and/or hourly connection fee.
At least two network segments connected using routers.
internetwork address
The combination of the network ID and the host ID that uniquely identifies a host on an internetwork. An example is an IP address, which contains a network ID and a host ID.
Internetwork Packet Exchange (IPX)
A network protocol native to NetWare that controls addressing and routing of packets within and between LANs. IPX does not guarantee that a message will be complete (no lost packets). See also Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX).
Internetwork Packet Exchange Control Protocol (IPXCP)
The Network Control Protocol for IPX-based PPP connections. IPXCP negotiates IPX-based parameters to dynamically configure an IPX-based PPP peer across a point-to-point link. IPXCP is documented in RFC 1552.
Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX)
Transport protocols used in Novell NetWare and other networks.
internetwork-level broadcasts
Broadcast packets with a special destination internetwork address that informs the router that the packet is to be forwarded to all other network segments except the network segment on which it was received.
interprocess communication (IPC)
A series of components used by both the programs and processes of networked computers. IPC allows client and server computers to communicate with other computers.
interprocess interrupt
A high Interrupt-Request Level (IRQL) interrupt that can send an interrupt from one processor to another, allowing processors to communicate.
interrupt avoidance
A feature of device adapters that allows a processor to continue processing interrupts without new interrupts being queued until all pending interrupts are complete.
interrupt moderation
A feature of device adapters that allows a processor to process interrupts more efficiently by grouping several interrupts to a single hardware interrupt.
interrupt request (IRQ)
A signal sent by a device to get the attention of the processor when the device is ready to accept or send information. Each device sends its interrupt requests over a specific hardware line, numbered from 0 to 15. Each device must be assigned a unique IRQ number.
interrupt request (IRQ) lines
Hardware lines over which devices can send signals to get the attention of the processor when the device is ready to accept or send information. Interrupt request (IRQ) lines are numbered from 0 to 15. Each device must have a unique IRQ line.
A network within an organization that uses Internet technologies and protocols, but is available only to certain people, such as employees of a company. An intranet is also called a private network.
Information that Systems Management Server inventory client agents collect for each client in a site. The inventory can include hardware and software information and collected files, depending on the administrator-defined configuration.
See Internet Protocol.
IP address
A 32-bit address used to identify a node on an IP internetwork. Each node on the IP internetwork must be assigned a unique IP address, which is made up of the network ID, plus a unique host ID. This address is typically represented with the decimal value of each octet separated by a period (for example, In Windows 2000, the IP address can be configured manually or dynamically through DHCP. See also Dynamic Host Configuration Protocol (DHCP); node.
IP Filter List
A list of filters. Each describes a particular subset of network traffic to be secured, both for inbound and outbound traffic.
IP multicast group
See host group.
IP router
A system connected to multiple physical TCP/IP networks that can route or deliver IP packets between the networks. See also packet; router; routing; Transmission Control Protocol/Internet Protocol.
IP source routing
The practice of specifying the list of router interfaces corresponding to the path through an IP internetwork that a packet must travel. IP source routing is used in network testing and debugging situations.
IP-in-IP interface
A logical interface that sends IP packets in IP-in-IP tunneled mode.
IP-in-IP tunnels
A tunneling technology used to forward information between endpoints that are acting as a bridge between portions of an IP internetwork that have differing capabilities. A typical use for IP-in-IP tunnels is the forwarding of IP multicast traffic from one area of the intranet to another area of the intranet, across a portion of the intranet that does not support multicast forwarding or routing.
IP/DNS-compatible Locator
See domain controller locator.
See Internet Protocol security.
IPSec driver
A driver that uses the IP Filter List from the active IPSec policy to watch for outbound IP packets that must be secured and inbound IP packets that need to be verified and decrypted.
IPSec Policy Agent Service
A Windows 2000 mechanism that retrieves the IPSec policy information and passes it to the other IPSec mechanisms that require the information in order to perform security services.
IPX packet filtering
Filtering that provides a way to precisely define the type of IPX traffic allowed to cross a router.
See Integrated Services Digital Network.
A Boolean value that defines whether the attribute is replicated to the Global Catalog (in the Global Catalog has a value of TRUE, not in the Global Catalog is FALSE).
A Boolean value that specifies whether the attribute is single-valued (TRUE) or multivalued (FALSE). Default is FALSE if this value is not set.
A method of resolving a name request from a client. When using iteration, the DNS server might not provide the requested name. If the DNS server is authoritative for the requested name, it returns the name. If not, the server returns a list of the NS and A resource records of servers with names similar to the name requested, but it does not attempt to contact those servers. The client can continue the name search by contacting the recommended servers. The alternative method is recursive resolution.
iterative name query
See iterative query.
iterative query
A query made to a DNS server in which the requester instructs the server that it expects the best answer the server can provide without seeking further help from other DNS servers to assist in answering the query. Iterative queries are also called non-recursive queries. See also iteration; recursion; referral.
See incremental zone transfer.


job object
A feature in the Win32 API set that makes it possible for groups of processes to be managed with respect to their processor usage and other factors.
join latency
The time it takes for the first member of an IP multicast host group on a subnet to begin receiving group traffic.



Kerberos authentication protocol
An authentication mechanism used to verify user or host identity. The Kerberos v5 authentication protocol is the default authentication service for Windows 2000. Internet Protocol security and the QoS Admission Control Service use the Kerberos protocol for authentication. See also Internet Protocol security (IPSec); NTLM authentication protocol; QoS Admission Control Service.
The core of layered architecture that manages the most basic operations of the operating system and the computer's processor for Windows NT and Windows 2000. The kernel schedules different blocks of executing code, called threads, for the processor to keep it as busy as possible and coordinates multiple processors to optimize performance. The kernel also synchronizes activities among Executive-level subcomponents, such as I/O Manager and Process Manager, and handles hardware exceptions and other hardware-dependent functions. The kernel works closely with the hardware abstraction layer.
kernel mode
A highly privileged mode of operation where program code has direct access to all memory, including the address spaces of all user-mode processes and applications, and to hardware. Kernel mode is also known as supervisor mode, protected mode, or Ring 0.
A secret code or number required to read, modify, or verify secured data. Keys are used in conjunction with algorithms to secure data. Windows 2000 automatically handles key generation. For the registry, a key is an entry in the registry that can contain both subkeys and entries. In the registry structure, keys are analogous to folders, and entries are analogous to files. In the Registry Editor window, a key appears as a file folder in the left pane. In an answer file, keys are character strings that specify parameters from which Setup obtains the needed data for unattended installation of the operating system.
key attack
See key search attack.
Key Distribution Center (KDC)
A network service that supplies session tickets and temporary session keys used in the Kerberos authentication protocol. In Windows 2000, the KDC runs as a privileged process on all domain controllers. The KDC uses Active Directory to manage sensitive account information such as passwords for user accounts. See also Kerberos authentication protocol; session ticket.
key exchange
Confidential exchange of secret keys online, which is commonly done with public key cryptography. See also public key cryptography.
key management
Secure management of private keys for public key cryptography. Windows 2000 manages private keys and keeps them confidential with CryptoAPI and CSPs. See also private key; CryptoAPI; cryptographic service provider.
key management server (KM server)
A secure mail management service for Microsoft Exchange Service.
key pair
A private key and its related public key. See also public/private key pair.
key search attack
An attack to find a secret password or a symmetric encryption key by trying all possible passwords or keys until the correct password or key is discovered. Also called a brute force attack.
keyboard filters
Special timing and other devices that compensate for erratic motion tremors, slow response time, and other mobility impairments.
A data unit equal to 1,000 bits.
kilobits per second (Kbps)
Data transfer speed, as on a network, measured in multiples of 1,000 bits per second.
Knowledge Consistency Checker (KCC)
A built-in process that runs on all domain controllers and generates the replication topology for the Active Directory forest. At specified intervals, the KCC reviews and makes modifications to the replication topology to ensure propagation of data either directly or transitively.
knowledge reference
In Active Directory, knowledge about the existence and location of directory partitions in the forest, including the names of the directory partitions and what server is holding read-only copies (partial directory partitions stored on Global Catalogs) and/or writable copies (full directory partitions). See also external reference.
Korn shell (ksh)
A command shell which provides the following functionality:
file input and output redirection
command line editing using vi
command history
integer arithmetic
pattern matching and variable substitution
command name abbreviation (aliasing)
built-in commands for writing shell programs.



See Layer 2 Tunneling Protocol.
L2TP client
A tunnel client using the L2TP tunneling protocol and IPSec.
L2TP server
A tunnel server using the L2TP tunneling protocol and IPSec.
See domain name label.
See local area network.
LAN emulation (LANE)
A set of protocols that allow existing Ethernet and Token Ring LAN services to overlay an ATM network. LANE allows connectivity among LAN- and ATM-attached stations. See also Asynchronous Transfer Mode (ATM).
LAN emulation client (LEC)
The client on an emulated local area network (ELAN) that performs data forwarding, address resolution, and other control functions. The LEC resides on end stations in an emulated local area network (ELAN). See also Asynchronous Transfer Mode (ATM); emulated local area network (ELAN); LAN emulation.
LAN emulation configuration server (LECS)
The service that assigns individual LANE clients to particular emulated local area networks (ELANs) by directing them to the LAN emulation service (LES). See also emulated local area network (ELAN); LAN emulation; LAN emulation server.
LAN emulation server (LES)
The central control point for an emulated local area network (ELAN). Enables LANE clients to join the emulated local area network (ELAN) and resolves LAN addresses to ATM addresses. See also Asynchronous Transfer Mode (ATM); emulated local area network (ELAN); LAN emulation (LANE).
LAN manager replication
The file replication service used under Windows NT. See File Replication service.
large window support
In TCP communications, the largest amount of data that can be transferred without acknowledgment. The window has a fixed size. Large window support dynamically recalculates the window size and allows larger amounts of data to be transferred at one time causing greater throughput.
See replication latency.
layer 2 switch
A switch that operates at the datalink layer of the OSI reference model.
layer 3 switch
A switch that operates at the network layer of the OSI reference model.
Layer two Tunneling Protocol (L2TP)
A tunneling protocol that encapsulates PPP frames to be sent over IP, X.25, Frame Relay, or ATM networks. L2TP is a combination of the Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Forwarding (L2F), a technology proposed by Cisco Systems, Inc.
See Lightweight Directory Access Protocol.
See Lightweight Directory Access Protocol Application Programming Interface.
LDAP Data Interchange Format (LDIF)
A draft Internet standard for a file format that can be used to perform batch operations on directories that conform to LDAP standards.
LDAP referral
A reference to another domain controller, returned by an LDAP search when the requested object is not found on the domain controller being searched.
lDAPDisplayName (LDAP-Display-Name)
The name by which LDAP clients identify an attribute. The lDAPDisplayName property must be unique across all lDAPDisplayName attributes for all schemaClass and schemaAttribute objects in the Schema container.
It is recommended that the lDAPDisplayName be the cn with the hyphens removed (except do not remove the hyphen separating your name prefix from the rest of the name) and the first character uses the lower--case. The lDAPDisplayName property must be unique across all lDAPDisplayName attributes for all schemaClass and schemaAttribute objects in the schema container.
It is also recommended that you specify the lDAPDisplayName rather than letting this attribute default.
LDIF Directory Exchange tool
A command--line utility that allows you to import and export objects to and from Active Directory. You can create, modify, and delete directory objects by using this utility. Objects are stored in the LDIF file format. The utility can be run on a Windows 2000 server or copied to a Windows 2000 workstation. For example, LDIFDE can be used to extend the schema, export Active Directory user and group information to other applications or services, and populate Active Directory with data from other directory services.
See LDIF Directory Exchange tool.
leave latency
The time between when the last host on a subnet has left an IP multicast host group and when no more multicast traffic for that group is forwarded to the subnet.
A data-storage system, usually managed by Removable Storage. A library consists of removable media (such as tapes or discs) and a hardware device that can read from or write to the media. There are two major types of libraries: robotic libraries (automated multiple-media, multidrive devices) and stand-alone drive libraries (manually operated, single-drive devices). A robotic library is also called a jukebox or changer. See also Removable Storage.
library request
A request for an online library or stand-alone drive to perform a task. This request can be issued by an application or by Removable Storage.
license service
A server in Terminal Services that stores all client licenses that have been downloaded for a Terminal server and tracks the licenses that have been issued to client computers or terminals.
Lightweight Directory Access Protocol (LDAP)
A directory service protocol that runs directly over TCP/IP and the primary access protocol for Active Directory. LDAP version 3 is defined by a set of Proposed Standard documents in Internet Engineering Task Force (IETF) RFC 2251. See also Lightweight Directory Access Protocol application programming interface (LDAP API).
Lightweight Directory Access Protocol application programming interface (LDAP API)
An API for experienced C programmers who want to enable new or existing applications to connect to, search, and update LDAP servers. You can use the LDAP API to write directory-enabled applications that allow LDAP client applications to search for and retrieve information from an LDAP server. LDAP API enables the modification of directory objects, where such modifications are permitted. There are also functions that provide access control for servers, by allowing clients to authenticate themselves.
The LDAP API is delivered with Windows 2000 and is found in the Wldap32.dll file. The Microsoft LDAP API is compatible with both version 2 and version 3 of the LDAP standard.
limited broadcast address
The broadcast address of
line kill
In UNIX, an assigned key that deletes the entire current line.
Line Printer Daemon (LPD)
A service on the print server that receives documents (print jobs) from line printer remote (LPR) tools running on client systems. See also Line Printer Remote (LPR).
Line Printer Remote (LPR)
A connectivity tool that runs on client systems and is used to print files to a computer running an LPD server. See also Line Printer Daemon (LPD).
Link Control Protocol (LCP)
A PPP control protocol that negotiates link and PPP parameters to dynamically configure the data-link layer of a PPP connection.
Link State Advertisements (LSAs)
A advertisement of an OSPF router that contains its attached networks and their configured costs.
link state database (LSDB)
A map of an area maintained by OSPF routers. It is updated after any change in the network topology. The link state database is used to compute IP routes, which must be computed again after any change in the topology. See also Open Shortest Path First (OSPF).
link station
Hardware and software components within a node that represent a connection to an adjacent node over a specific link.
linked object
An object that is inserted into a document but still exists in the source file. When information is linked, the new document is updated automatically if the information in the original document changes. See also embedded object.
An integer that indicates that the attribute is a linked attribute. An even integer is a forward link and an odd integer is a back link.
This value must be unique for linkIDs of all attributeSchema objects. A back link must have corresponding forward link.
listening mode
The way that the network adapter analyzes the destination media access control address of incoming frames in order to decide to process them further.
Lmhosts file
A local text file that maps NetBIOS names (commonly used for computer names) to IP addresses for hosts that are not located on the local subnet. In Windows 2000, this file is stored in the SystemRoot\System32\Drivers\Etc folder.
load sharing
See round robin.
Scaling the performance of a server-based program (such as a Web server) by distributing its client requests across multiple servers within the cluster by using Windows Clustering. Each host can specify the load percentage that it will handle, or the load can be equally distributed across all the hosts. If a host fails, Windows Clustering dynamically redistributes the load among the remaining hosts. See also client request; cluster; host; scalability; server.
local area network (LAN)
A communications network connecting a group of computers, printers, and other devices located within a relatively limited area (for example, a building). A LAN allows any connected device to interact with any other on the network. See also wide area network (WAN).
local computer
A computer that can be accessed directly without using a communications line or a communications device, such as a network adapter or a modem. Similarly, running a local program means running the program on your computer, as opposed to running it from a server.
local group
For computers running Windows 2000 Professional and member servers, a group that is granted permissions and rights from its own computer to only those resources on its own computer on which the group resides. See also global group.
local policy module
A Windows 2000 mechanism that provides the QoS Admission Control Service with a means of retrieving policy information from Active Directory. The QoS Admission Control Service invokes the LPM when a policy object with a Windows 2000 Kerberos ticket is detected. The LPM takes the user name from the policy object and the RSVP message, and looks up the user's admission control policy in Active Directory.
local printer
A printer that is directly connected to one of the ports on your computer.
Local Security Authority (LSA)
A protected subsystem that authenticates and logs users onto the local system. In addition, the LSA maintains information about all aspects of local security on a system (collectively known as the local security policy), and provides various services for translation between names and identifiers.
local security policy
Security information about all aspects of local security on a system. The local security policy identifies who is assigned privileges and what security auditing is to be performed.
local storage
For Windows 2000 Server, NTFS disk volumes used as primary data storage. Such disk volumes can be managed by Remote Storage by copying infrequently accessed files to remote, or secondary, storage. See also Remote Storage.
locally administered address (LAA)
Internal network address on a network adapter that is specifically written to accommodate an organization's adapter naming standard.
The Apple networking hardware built into every Macintosh computer. LocalTalk includes the cables and connector boxes to connect components and network devices that are part of the AppleTalk network system. LocalTalk was formerly known as the AppleTalk Personal Network.
To make a file inaccessible. When more than one user can manipulate a file, that file is locked when a user accesses it in order to prevent more than one user from modifying the file simultaneously.
log file
A file that stores messages generated by an application, service, or operating system. These messages are used to track the operations performed. For example, Web servers maintain log files listing every request made to the server. Log files are usually ASCII files and often have a .log extension. In Backup, a file that contains a record of the date the tapes were created and the names of files and directories successfully backed up and restored. The Performance Logs and Alerts service also creates log files.
log off
To stop using a network, which removes the user name from active use until the user logs on again.
log on
To begin using a network by providing a user name and password that identifies a user to the network.
logical drive
A volume created within an extended partition on a basic disk. You can format and assign a drive letter to a logical drive. Only basic disks can contain logical drives. A logical drive cannot span multiple disks. See also basic disk; basic volume; extended partition.
logical IP subnet (LIS)
A group of IP hosts/members belonging to the same IP subnet and whose host ATMARP server ATM address is the same.
logical link control (LLC)
A protocol standard developed by the IEEE 802 committee, which governs the exchange of transmission frames between data stations independently of how the transmission medium is shared on the local area network.
logical printer
The software interface between the operating system and the printer in Windows 2000. While a printer is the device that does the actual printing, a logical printer is its software interface on the print server. This software interface determines how a print job is processed and how it is routed to its destination (to a local or network port, to a file, or to a remote print share). When a document is printed, it is spooled (or stored) on the logical printer before it is sent to the printer itself. See also spooling.
logical store
See certificate stores.
logical unit (LU)
An IBM Systems Network Architecture protocol that allows end users to communicate with each other and gain access to IBM network resources.
long file name (LFN)
A folder name or file name longer than the 8.3 file name standard (up to eight characters followed by a period and an extension of up to three characters) of the FAT file system. Windows 2000 supports long file names up to the file-name limit of 255 characters. Macintosh users can assign long names to files and folders on the server and, using Services for Macintosh, long names to Macintosh-accessible volumes can be assigned when created. Windows 2000 automatically translates long names of files and folders to 8.3 names for MS-DOS and Windows 3.x users. See also name mapping.
loopback address
The address of the local computer used for routing outgoing packets back to the source computer. This address is used primarily for testing.
loopback option
An option that allows an administrator to apply Group Policy settings based on the computer that the user logs on to, even after the user settings have been processed.
loose consistency
In multimaster directory replication, the tolerance for replication latency. In Active Directory replication, replicas are not guaranteed to be consistent with each other at any particular point in time because changes can be applied to any full replica at any time. Factors that affect replication latency include same or different site, number of hops between domain controllers, whether changes are found via notification or periodic synchronization, bandwidth of links, whether systems are down, and replication load. See also replication convergence.
See Local Policy Module.



A NetBIOS node type that uses a mix of b-node and p-node communications to register and resolve NetBIOS names. M-node first uses broadcast resolution; then, if necessary, it uses a server query.
Macintosh-accessible volume
Storage space on the server used for folders and files of Macintosh users. A Macintosh-accessible volume is equivalent to a shared folder for personal computer users. Each Macintosh-accessible volume on a computer running Windows 2000 Server will correspond to a folder. Both personal computer users and Macintosh users can be given access to files located in a folder that is designated as both a shared folder and a Macintosh-accessible volume.
Macintosh-style permissions
Folder and volume permissions that are similar to the access privileges used on a Macintosh.
multicast address dynamic client allocation protocol.
Magic Packet
A packet that contains 16 contiguous copies of the receiving network adapter's Ethernet address. A magic packet is used to awaken a computer from a low power state.
Management Information Base (MIB)
A collection of formally described objects, each of which represents a particular type of information, that can be accessed and managed by the Simple Network Management Protocol (SNMP) through a network management system.
mandatory attributes
Object attributes for which values must be specified.
Master Boot Record (MBR)
The first sector on a hard disk, this data structure starts the process of booting the computer. It is the most important area on a hard disk. The MBR contains the partition table for the disk and a small amount of executable code called the master boot code.
master domain
A Windows NT domain that holds user account data. Also known as an account domain.
master file table (MFT)
The database that tracks the contents of an NTFS volume. The MFT is a table whose rows correspond to files on the volume and whose columns correspond to the attributes of each file.
master replica
See full replica.
master server
In a DNS zone transfer, the computer that is the source of the zone. Master servers can vary and are one of two types (either primary or secondary masters), depending on how the server obtains its zone data. See also primary server; secondary server; zone; zone transfer.
maximum password age
The period of time a password can be used before the system requires the user to change it.
maximum receive unit (MRU)
The maximum size of a PPP frame. The MRU is determined during the negotiation of the logical link.
maximum segment size
The maximum size of a TCP segment that can be sent on a TCP connection.
maximum transmission unit (MTU)
The maximum frame size supported by a network technology such as Ethernet or Token Ring.
A multivalued property that specifies the attributes that can be present on instances of this class. These are optional attributes that are not mandatory and, therefore, may or may not be present on an instance of this classSchema object. For an existing classSchema object, values can be added to this property but not removed.
Each value is the lDAPDisplayName of an attribute. You must ensure that the attributes exist or will exist when the new class is written to the directory. If one of the attributes does not exist, the classSchema object will fail to be added to the directory.
The full set of optional attributes for this class is the union of the systemMayContain and mayContain on this class as well as the systemMayContain and mayContain properties of all inherited classes.
media access control
A sublayer of the IEEE 802 specifications that defines network access methods and framing.
media access control address
The address used for communication between network adapters on the same subnet. Each network adapter has an associated media access control address.
media label library
A dynamic-link library (DLL) that can interpret the format of a media label written by a Removable Storage application.
member server
A computer that runs Windows 2000 Server but is not a domain controller of a Windows 2000 domain. Member servers participate in a domain, but do not store a copy of the directory database.
memory address
A portion of computer memory that can be allocated to a device or used by a program or the operating system. Devices are usually allocated a range of memory addresses.
memory leak
A condition that occurs when applications allocate memory for use but do not free allocated memory when finished.
message digest
A fixed-size result obtained by applying a one-way mathematical function called a message digest function (sometimes called a "hash function" or "hash algorithm") to an arbitrary amount of data. Given a change in the input data, the resulting value of the message digest will change. Message digest is also called a hash. See message digest function.
message digest function
One-way mathematical algorithm used to produce a message digest (also called a hash). See also message digest.
Messaging API (MAPI)
See Messaging Application Programming Interface.
Messaging Application Programming Interface (MAPI)
A Microsoft API used to support messaging applications.
A character that is assigned a special meaning that is recognized by the shell.
Stored data that describes and controls the functioning of the Remote Storage system.
A number used to indicate the cost of a route in the IP routing table to enable the selection of the best route among possible multiple routes to the same destination.
Microsoft Challenge Handshake Authentication Protocol version 1 (MS-CHAP v1)
An encrypted authentication mechanism for PPP connections similar to CHAP. The remote access server sends a challenge to the remote access client that consists of a session ID and an arbitrary challenge string. The remote access client must return the user name and a Message Digest 4 (MD4) hash of the challenge string, the session ID, and the MD4-hashed password.
Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2)
An encrypted authentication mechanism for PPP connections that provides stronger security than CHAP and MS-CHAP v1. MS-CHAP v2 provides mutual authentication and asymmetric encryption keys.
Microsoft Component Services
A program that runs on an Internet or other server and manages the application and database transaction requests for a client's user. Component Services screens the user and client computer from having to formulate requests for unfamiliar databases and forwards the requests to database servers. It also manages security, connection to other servers, and transaction integrity.
Microsoft Management Console (MMC)
A framework for hosting administrative consoles. A console is defined by the items on its console tree, which might include folders or other containers, World Wide Web pages, and other administrative items. A console has one or more windows that can provide views of the console tree and the administrative properties, services, and events that are acted on by the items in the console tree. The main MMC window provides commands and tools for authoring consoles. The authoring features of MMC and the console tree might be hidden when a console is in User Mode. See also console tree.
The process of moving files or programs from an older file format or protocol to a more current format or protocol. For example, WINS database entries can be migrated from static WINS database entries to dynamically-registered DHCP entries.
The process of copying an object from local storage to remote storage.
Mini-Setup wizard
A wizard that starts the first time a computer boots from a hard disk that has been duplicated. The wizard gathers any information that is needed for the newly duplicated hard disk.
minimum password length
The fewest characters a password can contain.
minimum TTL
A default Time To Live (TTL) value set in seconds for use with all resource records in a zone. This value is set in the start of authority (SOA) resource record for each zone. By default, the DNS server includes this value in query answers to inform recipients how long it can store and use resource records provided in the query answer before they must expire the stored records data. When TTL values are set for individual resource records, those values will override the minimum TTL. See also Time To Live (TTL).
miniport drivers
A driver that is connected to an intermediate driver and a hardware device.
mirror set
A fully redundant or shadow copy of data. Mirror sets provide an identical twin for a selected disk; all data written to the primary disk is also written to the shadow or mirror disk. This gives you instant access to another disk with a copy of the information. Mirror sets provide fault tolerance. See also stripe set with parity; volume set.
mirrored volume
A fault-tolerant volume that duplicates data on two physical disks. The mirror is always located on a different disk. If one of the physical disks fails, the data on the failed disk becomes unavailable, but the system continues to operate by using the unaffected disk. A mirrored volume is slower than a RAID-5 volume in read operations but faster in write operations. Mirrored volumes can only be created on dynamic disks. In Windows NT 4.0, a mirrored volume was known as a mirror set. See also dynamic disk; dynamic volume; fault tolerance; redundant array of independent disks (RAID); volume.
mixed mode
The default mode setting for domains on Windows 2000 domain controllers. Mixed mode allows Windows 2000 domain controllers and Windows NT backup domain controllers to co-exist in a domain. Mixed mode does not support the universal and nested group enhancements of Windows 2000. You can change the domain mode setting to Windows 2000 native mode after all Windows NT domain controllers are either removed from the domain or upgraded to Windows 2000. See also native mode.
mixed version
Used to describe a server cluster in which different nodes are running different versions of the server cluster software.
mixed-mode domain
A networked set of computers running more than one operating system, for example, both Windows NT and Windows 2000.
See Microsoft Management Console.
MMC snap-in
A type of management tool that you can add to the console tree of a console supported by Microsoft Management Console (MMC), for example, Device Manager. A snap-in can be either a stand-alone or an extension snap-in. A stand-alone snap-in can be added by itself; an extension snap-in can only be added to extend another snap-in. See also Microsoft Management Console (MMC).
mobile user
A user who travels away from a corporate campus such as a salesperson or field technician.
mobility impairments
The diminished ability to perform certain manual tasks, such as using a mouse or pressing two keys at the same time; having a tendency to hit multiple keys, or bounce fingers off keys; or inability to hold a printed book.
A component of the Windows 2000 operating system that has sole responsibility for its functions. An application runs in a separate module in user mode, from which it requests system services. Application processes are transferred to one or more modules in kernel mode (protected), where the actual service is provided.
more fragments flag
A field in the Internet Protocol (IP) header that indicates that more fragments follow this fragment.
A feature in Microsoft Windows that allows use of the numeric keyboard to move the mouse pointer.
An alternative assistive input device for users with physical impairments.
MS-DOS-based application
An application that is designed to run with MS-DOS and therefore, might not be able to take full advantage of all Windows 2000 features.
Network traffic destined for a set of hosts that belong to a multicast group. See also multicast group.
multicast address dynamic client allocation protocol (MADCAP)
An extension to the DHCP protocol standard used to support dynamic assignment and configuration of IP multicast addresses on TCP/IP-based networks.
multicast address resolution service (MARS)
A service for resolving multicast IP addresses to the ATM addresses of the clients that have joined that multicast group. The MARS can work in conjunction with the multicast server MCS and clients to distribute multicast data through point-to-multipoint connections.
multicast DHCP (MDHCP)
An extension to the DHCP protocol standard that supports dynamic assignment and configuration of IP multicast addresses on TCP/IP-based networks.
multicast forwarding table
The table used by IP to forward IP multicast traffic. An entry in the IP multicast forwarding table consists of the multicast group address, the source IP address, a list of interfaces to which the traffic is forwarded (next hop interfaces), and the single interface on which the traffic must be received in order to be forwarded (the previous hop interface).
multicast group
A group of member TCP/IP hosts configured to listen and receive datagrams sent to a specified destination IP address. The destination address for the group is a shared IP address in the Class D address range ( to 2239.255.255.255). See also datagram.
multicast heartbeat
The ability of the Windows 2000 router to listen for a regular multicast notification to a specified group address.
multicast promiscuous mode
A listening mode that passes up for processing all frames that have the IEEE-defined multicast bit set to 1.
multicast routing protocol
Protocols such as Distance Vector Multicast Routing Protocol (DVMRP), Multicast Open Shortest Path First (MOSPF), or Protocol Independent Multicast (PIM) used to exchange IP multicast host membership information. Group membership is either communicated explicitly, by exchanging [group address, subnet] information, or implicitly, by informing upstream routers that there either are or are not group members in the downstream direction from the source of the multicast traffic.
multicast scope
A range of IP multicast addresses in the range of to Multicast addresses in this range can be prevented from propagating in either direction (send or receive) through the use of scope-based multicast boundaries.
multicast static route
A static route used to determine the previous hop interface for IP multicast forwarding table entries and the previous hop neighbor used for multicast diagnostic utilities such as mtrace.
multihomed computer
A computer that has multiple network adapters or that has been configured with multiple IP addresses for a single network adapter.
multilingual APIs
Application programming interfaces used to support multiple languages in Windows 2000.
multilink protocol (MP)
An extension to PPP that is used to aggregate multiple physical links into a single logical link. MP is defined in RFC 1990.
multimaster replication
A system of replication in which all replicas of a given directory partition are writable, allowing updates to be applied to any replica. Active Directory uses a multimaster replication system, and replicates the changes from a given replica to all other replicas automatically and transparently. All replicas are not necessarily fully consistent at all times. This model differs from other replication models in which one computer stores the single modifiable copy of the directory and other computers store backup copies. See also domain controller; replication; loose consistency.
The practice of using multiple logical subnets on the same physical network.
multipath routing infrastructure
A routing infrastructure where multiple paths exist between network segments in the internetwork.
multiple provider router (MPR)
A software component that supports Win32 network API requests for redirectors and passes them to the appropriate redirector.
multiple universal naming convention provider (MUP)
A mechanism that chooses the appropriate redirector when an application attempts to resolve a universal naming convention (UNC) name.
multiple-master replication
The process by which Windows 2000 domain controllers replicate domain data. The primary domain controller emulator replicates the domain data to the other domain controllers. See primary domain controller emulator.
Multipurpose Internet Mail Extensions (MIME)
A common method for transmitting non-text data through Internet e-mail. MIME encodes non-text data as ASCII text and then decodes it back to its original format at the receiving end. A MIME header is added to the file which includes the type of data contained and the encoding method used. See also Secure/Multipurpose Internet Mail Extensions (S/MIME).
The ability of an operating system to run several processes at the same time to handle multiple tasks.
A multi-valued property that specifies the attributes that must be present on instances of this class. These are mandatory attributes that must be present during creation and cannot be cleared after creation. After creation of the class, this attribute cannot be changed.
Each value is the lDAPDisplayName of an attribute. You must ensure that the attributes exist or will exist when the new class is written to the directory. If one of the attributes does not exist, the classSchema object will fail to be added to the directory.
The full set of mandatory attributes for this class is the union of the systemMustContain and mustContain on this class as well as the systemMustContain and mustContain properties of all inherited classes.
mutual authentication
The process when the calling router authenticates itself to the answering router and the answering router authenticates itself to the calling router. Both ends of the connection verify the identity of the other end of the connection. MS-CHAP v2 and EAP-TLS authentication methods provide mutual authentication.



name devolution
A process by which a DNS resolver appends one or more domain names to an unqualified domain name, making it a fully qualified domain name, and then submits the fully qualified domain name to a DNS server.
name management
Registering, querying, and releasing NetBIOS names.
name mapping
A Windows 2000 feature that enables file system access by MS-DOS and Windows 3.x users to NTFS and FAT volumes, and enables user account assignments for Kerberos users from non-Windows 2000 Kerberos realms or for external (non-enterprise) users with X.509 certificates. For file system access, Windows 2000 allows share names of up to 255 characters, as opposed to MS-DOS and Windows 3.x, which are restricted to eight characters followed by a period and an extension of up to three characters. Each file or folder with a name that does not conform to the MS-DOS 8.3 standard is automatically given a second name that does. MS-DOS and Windows 3.x users connecting to the file or directory over the network see the name in the 8.3 format; Windows 2000 users see the long name.
name query
A query broadcast to a local network or to a NetBIOS name server in order to resolve the IP address when one NetBIOS application wants to communicate with another NetBIOS application.
name registration
The process of registering a computer name with a name server, such as a DHCP or WINS server, when a client computer joins a computer network. This process of name registration creates a database entry that other network services use to locate that computer.
name registration request
A message sent to a NetBIOS name server when a TCP/IP host begins an attempt to register the domain name.
name release
A message sent to a NetBIOS server to indicate that a domain name has been released and is available for use by another server.
name resolution
The process of having software translate between names that are easy for users to work with, and numerical IP addresses, which are difficult for users but necessary for TCP/IP communications. Name resolution can be provided by software components such as the Domain Name System (DNS) or the Windows Internet Name Service (WINS). In directory service, the phase of LDAP directory operation processing that involves finding a domain controller that holds the target entry for the operation. See also Domain Name System (DNS); Transmission Control Protocol/Internet Protocol (TCP/IP); Windows Internet Name Service (WINS).
name resolution service
A service required by TCP/IP internetworks to convert computer names to IP addresses and IP addresses to computer names. (People use "friendly" names to connect to computers; programs use IP addresses.) See also internetwork; IP address; Transmission Control Protocol/Internet Protocol (TCP/IP).
name server
In the DNS client/server model, a server authoritative for a portion of the DNS database. The server makes computer names and other information available to client resolvers that are querying for name resolution across the Internet or an intranet. See also Domain Name System (DNS).
name server (NS) resource record
A resource record used in a zone to designate the DNS domain names for authoritative DNS servers for the zone. See also resource record.
Named Pipe
A portion of memory that can be used by one process to pass information to another process, so that the output of one process is the input of the other process. The second process can be local (on the same computer as the first) or remote (on a networked computer).
A set of unique names for resources or items used in a shared computing environment. The names in a namespace can be resolved to the objects they represent. For Microsoft Management Console (MMC), the namespace is represented by the console tree, which displays all of the snap-ins and resources that are accessible to a console. For Domain Name System (DNS), namespace is the vertical or hierarchical structure of the domain name tree. For example, each domain label, such as "host1" or "example," used in a fully qualified domain name, such as "host1.example.microsoft.com," indicates a branch in the domain namespace tree. For Active Directory, namespace corresponds to the DNS namespace in structure, but resolves Active Directory object names.
naming context
See directory partition.
naming service
A service, such as that provided by WINS or DNS, that allows friendly names to be resolved to an address or other specially defined resource data that is used to locate network resources of various types and purposes.
NAT editor
A component of a network address translator that performs additional translation and payload adjustment beyond the IP, TCP, and UDP headers. A NAT editor is an installable component that can properly modify otherwise non-translatable payloads so that they can be forwarded across a NAT.
National Registration Authority (NRA)
An identified body in each nation responsible for issuing object identifiers to enterprises.
native mode
The condition in which all domain controllers within a domain are Windows 2000 domain controllers and an administrator has enabled native mode operation (through Active Directory Users and Computers). See also mixed mode.
negative caching
A situation in which computers that use and query DNS, cache negative responses to a query for a limited period of time. A negative response is obtained when a DNS server directly answers a name query, indicating that no records of the requested DNS domain name were found to exist. The use of this kind of caching can help speed the response for successive queries from other computers for the same name.
negative name registration response
A response to a name registration request from a host or a NetBIOS server indicating that another host or NetBIOS server has already registered the requested name.
negotiation policy
A named collection of security methods in a rule, contained in an Internet Protocol security policy used to establish a security association between the two communicating parties. See also Internet Protocol security policy.
nested groups
A Windows 2000 capability available only in native mode that allows the creation of groups within groups. See also domain local group; forest; global group; trusted forest; universal group.
Net Logon service
A service that runs in the Windows 2000 security subsystem in user mode, and performs the following functions; Replication of Windows NT 3.x and Windows NT 4.0 backup domain controllers with the Windows 2000 PDC emulator; NTLM pass-through authentication; Periodic password updates for computer accounts and interdomain trust relationships; Domain controller discovery using NetBIOS naming for non-directory-aware domain controllers (domain controllers that run Windows NT 3.5 and Windows NT 4.0); Domain controller discovery in closest site using NetBIOS naming or DNS naming for directory-aware domain controllers (Windows 2000 domain controllers).
See NetBIOS Extended User Interface.
See network basic input/output system.
NetBIOS Extended User Interface (NetBEUI)
A network protocol native to Microsoft Networking, that is usually used in local area networks of one to 200 clients. NetBEUI uses Token Ring source routing as its only method of routing. It is the Microsoft implementation of the NetBIOS standard.
NetBIOS Frames Control Protocol (NBFCP)
The Network Control Protocol for NetBEUI-based PPP connections. NBFCP negotiates NetBEUI-based parameters to dynamically configure a NetBEUI-based PPP connection across a point-to-point link. NBFCP is documented in RFC 2097.
NetBIOS name
A 16-byte name of a process using NetBIOS. A name recognized by WINS, which maps the name to an IP address.
NetBIOS name query
A packet sent to either a NetBIOS name server, such as a WINS server, or as a broadcast to resolve the IP address of a NetBIOS name.
NetBIOS name resolution
The process of resolving a NetBIOS name to its IP address.
NetBIOS name server
A computer that resolves NetBIOS names to IP addresses. A WINS server is a NetBIOS name server.
NetBIOS Node Type
A designation of the exact mechanisms by which NetBIOS names are resolved to IP addresses.
NetBIOS over TCP/IP (NetBT)
A feature that provides the NetBIOS programming interface over the TCP/IP protocol. It is used for monitoring routed servers that use NetBIOS name resolution.
See NetBIOS over TCP/IP.
A tool that allows management of Windows 2000 domains and trust relationships from the command line.
A command-line and scripting utility for Windows 2000 networking components for local or shared computers.
Novell's network operating system.
NetWare Core Protocol (NCP)
The file-sharing protocol that governs communications about resource (such as disk and printer), bindery, and NDS operations between server and client computers on a Novell NetWare network. Requests from client computers are transmitted by the IPX protocol. Servers respond according to NCP guidelines. See also bindery; Internetwork Packet Exchange (IPX); Novell Directory Services (NDS).
NetWare Link Services Protocol (NLSP)
A link state routing protocol developed by Novell and used on IPX internetworks.
network access server (NAS)
The device that accepts PPP connections and places clients on the network that the NAS serves. NAS is also called Terminal server.
network adapter
Software or a hardware plug-in board that connects a node or host to a local area network.
network address
See network ID.
network address translation (NAT)
A protocol that allows a network with private addresses to access information on the Internet through an IP translation process. With NAT, you can configure your home network or small office network to share a single connection to the Internet.
network address translator
An IP router defined in RFC 1631 that can translate IP addresses and TCP/UDP port numbers of packets as they are being forwarded.
network administrator
A person responsible for setting up and managing domain controllers or local computers and their user and group accounts, assigning passwords and permissions, and helping users with networking issues. Administrators are members of the Administrators group and have full control over the domain or computer.
network basic input/output system (NetBIOS)
An application programming interface (API) that can be used by applications on a local area network or computers running MS-DOS, OS/2, or some version of UNIX. NetBIOS provides a uniform set of commands for requesting lower level network services.
network bridge
A device that connects networks by using the same communications protocols so that information can be passed from one to the other. Also, a device that connects two local area networks, whether or not they use the same protocols. A bridge operates at the ISO/OSI data-link layer.
Network Control Protocol (NCP)
A protocol within the PPP protocol suite that negotiates the parameters of an individual LAN protocol such as TCP/IP or IPX.
network data stream
The total amount of data transferred over a network at any given time.
Network Driver Interface Specification (NDIS)
A software component that provides Windows 2000 network protocols a common interface for communications with network adapters. NDIS allows more than one transport protocol to be bound and operate simultaneously over a single network adapter card.
network file system (NFS)
A service for distributed computing systems that provides a distributed file system, eliminating the need for keeping multiple copies of files on separate computers.
network gateway
A device that connects networks using different communications protocols so that information can be passed from one to the other. A gateway both transfers information and converts it to a form compatible with the protocols being used by the receiving network.
network ID
A number used to identify the systems that are located on the same physical network bounded by routers. The network ID should be unique to the internetwork.
network interface layer
A layer of the TCP/IP DARPA model that is responsible for placing TCP/IP packets on the network medium and receiving TCP/IP packets off the network medium. The network interface layer is also called the network access layer.
network layer
A layer that addresses messages and translates logical addresses and names into physical addresses. It also determines the route from the source to the destination computer and manages traffic problems, such as switching, routing, and controlling the congestion of data packets.
Network Load Balancing
The Windows Clustering component that distributes incoming Web requests among its cluster of IIS servers.
Network Load Balancing cluster
Up to 32 IIS servers from which Network Load Balancing presents a single IP address to Web clients and among which Network Load Balancing distributes incoming Web requests.
network media
The type of physical wiring and lower-layer protocols used for transmitting and receiving frames. For example, Ethernet, FDDI, and Token Ring.
Network Monitor
A packet capture and analysis tool used to view network traffic. This feature is included with Windows 2000 Server; however, Systems Management Server has a more complete version.
network name
In server clusters, the name through which clients access server cluster resources. A network name is similar to a computer name, and when combined in a resource group with an IP address and the applications clients access, presents a virtual server to clients.
Network News Transfer Protocol (NNTP)
A member of the TCP/IP suite of protocols, used to distribute network news messages to NNTP servers and clients, or news-readers, on the Internet. NNTP is designed so that news articles are stored on a server in a central database, and the user selects specific items to read. See also Transmission Control Protocol/Internet Protocol (TCP/IP).
network number
In the Macintosh environment, the routing address or range of addresses assigned to the physical network that Phase 2 AppleTalk routers use to route information to the appropriate network. Network number is also called network range and cable range. See also routing.
Network Plug and Play
A combination of hardware and software support that enables a computer system to recognize and adapt to hardware configuration changes with little or no user intervention.
network prefix
The number of bits in the IP network ID starting from the high order bit. The network prefix is another way of expressing a subnet mask.
network prefix notation
The practice of expressing a subnet mask as a network prefix rather than a dotted decimal notation.
network range
See network number.
network route
A route to a specific network ID in an internetwork.
See network file system.
See Network News Transfer Protocol.
In tree structures, a location on the tree that can have links to one or more items below it. In local area networks (LANs), a device that is connected to the network and is capable of communicating with other network devices. In a server cluster, a server that has Cluster service software installed and is a member of the cluster. See also local area network (LAN).
nonauthoritative restore
The default restore mode when using the Windows 2000 Ntbackup utility. When a domain controller is restored from a backup tape, the domain controller is brought up-to-date with its replica partners using normal Active Directory replication protocols. It is a non-authoritative restore because the objects in the restored directory are not treated as authoritative. The restored objects are replaced with changes held in other replicas of the restored domain.
A randomly generated value used to defeat replay attacks. See also replay attack.
noncontainer object
An object that cannot logically contain other objects. A file is a noncontainer object. See also container object; object.
noncontiguous namespace
A namespace based on different DNS root domain names, such as that of multiple trees in the same forest. See also namespace; hierarchical namespace; flat namespace.
nonpaged pool
An area of system memory reserved for objects that must remain in physical memory as long as they are active. The alternative is the paged pool.
A basic security function of cryptography. Nonrepudiation provides assurance that a party in a communication cannot falsely deny that a part of the communication occurred. Without nonrepudiation, someone can communicate and then later deny the communication or claim that the communication occurred at a different time. See also cryptography; authentication; confidentiality; integrity.
nontransitive trust relationship
A type of trust relationship that is bounded by the two domains in the relationship. For example, if domain A trusts domain B and domain B trusts domain C, there is no trust relationship between domain A and domain C. A nontransitive trust relationship can be a one-way or two-way relationship. It is the only type of trust relationship that can exist between a Windows 2000 domain and a Windows NT domain or between Windows 2000 domains in different forests. See also trust relationship; transitive trust relationship.
notify list
A list maintained by the primary server for a zone of other DNS servers that should be notified when zone changes occur. The notify list is made up of IP addresses for DNS servers configured as secondary servers for the zone. The secondary servers can then check to see if they need to initiate a zone transfer. See also DNS Notify.
Novell Directory Services (NDS)
On networks running Novell NetWare 4.x and NetWare 5.x, a distributed database that maintains information about every resource on the network and provides access to these resources.
NS (name server) resource record
See name server (NS) resource record.
A command-line tool that allows users to make DNS queries for testing and troubleshooting DNS installations.
NTFS file system
A recoverable file system designed for use specifically with Windows NT and Windows 2000. NTFS uses database, transaction-processing, and object paradigms to provide data security, file system reliability, and other advanced features. It supports file system recovery, large storage media, and various features for the POSIX subsystem. It also supports object-oriented applications by treating all files as objects with user-defined and system-defined attributes.
NTLM authentication protocol
A challenge/response authentication protocol. The NTLM authentication protocol was the default for network authentication in Windows NT version 4.0 and earlier. The protocol continues to be supported in Windows 2000 but no longer is the default. See also authentication.
NVRunCmd service
A service that allows commands issued from a host system NetView console to be carried out on the computer running Windows 2000 and SNA Server. The NVRunCmd service also returns the command results to the host NetView console in standard character or number formats.
An implementation of the Internetwork Packet Exchange (IPX), Sequenced Packet Exchange (SPX), and NetBIOS protocols used in Novell networks. NWLink is a standard network protocol that supports routing and can support NetWare client/server applications, where NetWare-aware Sockets-based applications communicate with IPX/SPX Sockets-based applications. See also Internetwork Packet Exchange (IPX); network basic input/output system (NetBIOS).



An entity, such as a file, folder, shared folder, printer, or Active Directory object, described by a distinct, named set of attributes. For example, the attributes of a File object include its name, location, and size; the attributes of an Active Directory User object might include the user's first name, last name, and e-mail address. For OLE and ActiveX objects, an object can also be any piece of information that can be linked to, or embedded into, another object. See also attribute; child object; container object; noncontainer object; parent object.
object class
The object class is the formal definition of a specific kind of object that can be stored in the directory. An object class is a distinct, named set of attributes that represents something concrete, such as a user, a printer, or an application. The attributes hold data describing the thing that is identified by the directory object. Attributes of a user might include the user's first name, last name, and e-mail address. The terms object class and class are used interchangeably. The attributes that can be used to describe an object are determined by the content rules.
object linking and embedding (OLE)
A method for sharing information among applications. Linking an object, such as a graphic, from one document to another inserts a reference to the object into the second document. Any changes you make in the object in the first document will also be made in the second document. Embedding an object inserts a copy of an object from one document into another document. Changes you make in the object in the first document will not be updated in the second unless the embedded object is explicitly updated. See also ActiveX.
An integer value that specifies the category of the class. The category can be Structural, Abstract, or Auxiliary.
In programming, an octet refers to eight bits or one byte. IP addresses, for example, are typically represented in dotted-decimal notation; that is, with the decimal value of each octet of the address separated by a period. See also IP address.
off-subnet addressing
The allocation of IP addresses from remote access servers to remote access clients that are not in a range defined by a subnet to which the remote access server is attached.
In a server cluster, the state of a resource, group, or node when it is unavailable to the cluster. Resources and groups also have an offline state. See also group; node; online, paused; resource.
offline media
Media that are not connected to the computer and require external assistance to be accessed.
When defining a pattern match within a filter using Network Monitor, the number of bytes from the beginning of the frame where the pattern occurs in a frame.
See object linking and embedding.
For object-syntaxed attributes (OM-syntax = 127), a binary value that describes the type of object.
The OM syntax of an attribute. Syntax of this attribute as defined by the XAPIA X/Open Object Model (XOM) specification.
on-demand connection
A demand-dial connection made over dial-up links when the cost of using the communications link is time-sensitive. For example, long distance analog phone calls are charged on a per-minute basis. With on-demand connections, the connection is made when traffic is forwarded, and the connection is terminated after a configured amount of idle time.
on-demand installation
An installation option that gives Windows 2000-compatible software the ability to install new features on first use rather than when the application is first installed.
on-demand router-to-router VPN connection
A router-to-router VPN connection that is made by a calling router who has a dial-up connection to the Internet.
on-media identifier (OMID)
A label that is electronically recorded on each medium in a Removable Storage system. Removable Storage uses on-media identifiers to track media in the Removable Storage database. An application on-media identifier is a subset of the media label.
on-screen keyboard
A utility that displays a virtual keyboard on a computer screen and allows users with mobility impairments to type using a pointing device or joystick.
on-subnet addressing
The allocation of IP addresses from a remote access server to remote access clients that are in a range defined by a subnet to which the remote access server is attached.
one-level search
See search scope.
In a server cluster, the state of a resource, group, or node when it is available to the cluster. See also heartbeat; node; offline; paused; resource.
online library
A robotic library unit, sometimes referred to as a jukebox.
OnNow Power Initiative
A system-wide approach to power management. All components can be instantly on or off and work in conjunction with hardware and software components to alter their power state as system use requires.
open database connectivity (ODBC)
An application programming interface (API) that enables database applications to access data from a variety of existing data sources.
Open Shortest Path First (OSPF)
A routing protocol used in medium-sized and large-sized networks. This protocol is more complex than RIP, but allows better control and is more efficient in propagating routing information.
open systems interconnection reference model
A networking model introduced by the International Organization for Standardization (ISO) to promote multi-vendor interoperability. Open Systems Interconnection (OSI) is a seven-layered conceptual model consisting of the application, presentation, session, transport, network, data-link, and physical layers.
operational attribute
An attribute that is used only for administering the directory database. It is an artifact attribute that is never defined in the schema and does not require any storage. Generally, when you set the operational attribute, you trigger some immediate action on the server.
operations master
A domain controller that has been assigned one or more special roles in an Active Directory domain. The domain controllers assigned these roles perform operations that are single-master (not permitted to occur at different places in the network at the same time). Examples of these operations include resource identifier allocation, schema modification, primary domain controller election and certain infrastructure changes. The domain controller that controls the particular operation owns the operations master role for that operation. The ownership of these operations master roles can be transferred to other domain controllers. See also Active Directory; domain naming master; infrastructure master; multimaster replication; relative ID master; replication; schema master.
operator request
A request for the operator to perform a task. This request can be issued by an application or by Removable Storage.
option types
Client configuration parameters that a DHCP server can assign when offering an IP address lease to a client. Typically, these option types are enabled and configured for each scope. Most options are predefined through RFC 2132, but DHCP Manager can be used to define and add custom option types if needed.
organizational domain
A type of domain signified by a three-character code that indicates the primary function or activity of the organizations contained within the domain, such as .org, .edu, or .gov.
organizational unit (OU)
An Active Directory container object used within domains. An organizational unit is a logical container into which users, groups, computers, and other organizational units are placed. It can contain objects only from its parent domain. An organizational unit is the smallest scope to which a Group Policy object can be linked, or over which administrative authority can be delegated.
original equipment manufacturer (OEM)
The maker of a piece of equipment. In making computers and computer-related equipment, manufacturers of original equipment typically purchase components from other manufacturers of original equipment and then integrate them into their own products.
originating update
In Active Directory replication, a write to a property at the system initiating the change, as opposed to a write to a property that is caused by replication. For example, a change to attribute A on object O on server S1 is the originating write. When S2 receives the change from S1, the local database update on S2 for object O, attribute A is the corresponding replicated write. See also replicated update.
OSChooser Markup Language (OSCML)
The markup language used to modify the Client Installation Wizard (CIW) .osc files for the screens presented when using Remote Installation Service.
See open systems interconnection reference model.
See Open Shortest Path First.
output filters
Filters which define the traffic that is allowed to be sent from that interface.
Setting a microprocessor to run at speeds above the rated specification.
In Windows 2000, the person who controls how permissions are set on objects and can grant permissions to others. In the Macintosh environment, an owner is the user responsible for setting permissions for a folder on a server. A Macintosh user who creates a folder on the server automatically becomes the owner of the folder. The owner can transfer ownership to someone else. Each Macintosh-accessible volume on the server also has an owner.



A NetBIOS node type that uses point-to-point communication with a name server to resolve names as IP addresses.
An icon that represents embedded or linked information. That information can consist of a complete file, such as a Paint bitmap, or part of a file, such as a spreadsheet cell. When a package is chosen, the application used to create the object either plays the object (if it is a sound file, for example) or opens and displays the object. If the original information is changed, linked information is then updated. However, embedded information needs to be manually updated. In Systems Management Server, an object that contains the files and instructions for distributing software to a distribution point. See also embedded object; linked object; object linking and embedding (OLE).
package distribution
In Systems Management Server, the process of placing a decompressed package image on distribution points, sharing that image, and making it accessible to clients. This process occurs when you specify distribution points for a package.
A transmission unit of fixed maximum size that consists of binary information. This information represents both data and a header containing an ID number, source and destination addresses, and error-control data.
packet filtering
Prevents certain types of network packets from either being sent or received. This can be employed for security reasons (to prevent access from unauthorized users) or to improve performance by disallowing unnecessary packets from going over a slow connection. See also packet.
page fault
An error that occurs when the requested code or data cannot be located in the physical memory that is available to the requesting process.
page-description language (PDL)
A computer language that describes the arrangement of text and graphics on a printed page. See also printer control language (PCL); PostScript.
The process of moving virtual memory back and forth between physical memory and the disk. Paging occurs when physical memory limitations are reached and only occurs for data that is not already "backed" by disk space. For example, file data is not paged out because it already has allocated disk space within a file system. See also virtual memory.
paging file
A hidden file on the hard disk that Windows 2000 uses to hold parts of programs and data files that do not fit in memory. The paging file and physical memory, or RAM, comprise virtual memory. Windows 2000 moves data from the paging file to memory as needed and moves data from memory to the paging file to make room for new data. Also called a swap file. See also random access memory (RAM); virtual memory.
paper source
The location (such as Upper Paper Tray or Envelope Feeder) of the paper at the printer.
parent class
All structural object classes are subclasses, directly or indirectly, of a single abstract object class, which is called top. Every object represented in the directory belongs to top and, as a result, every entry must have an objectClass attribute. When you create a new class, you must specify the superclass. If you are not creating a subclass of an existing class, the new class is a subclass of top.
The parent object becomes a superclass of the new object. Superclass is a classSchema object from which one or more other classSchema objects inherit information. The inherited information includes mandatory and optional attributes (systemMust-Contain, mustContain, systemMayContain, and mayContain) and its parent classes in the directory hierarchy (systemPossSuperiors and possSuperiors).
parent domain
For DNS and Active Directory, domains that are located in the namespace tree directly above other derivative domain names (child domains). For example, "reskit.com" would be the parent domain for "eu.reskit.com," a child domain. See also child domain; directory partition; domain.
parent object
The object that is the immediate superior of another object in a hierarchy. A parent object can have multiple subordinate, or child, objects. In Active Directory, the schema determines what objects can be parent objects of what other objects. Depending on its class, a parent object can be the child of another object. See also child object; object.
parent-child trust relationship
The two-way, transitive trust relationship that is established when a domain is added to an Active Directory tree. The Active Directory installation process automatically creates a trust relationship between the domain you are creating (the new child domain) and the parent domain.
The concept of managing the growth and delegation of a parent domain into further child domains, which are derived and delegated from the parent name. See also child domain; parent domain.
partial replica
A read-only replica of a directory partition that contains a subset of the attributes of all objects in the partition. Each Global Catalog contains partial replicas of all domains in the forest. The attributes contained in a partial replica are defined in the schema as the attributes whose attributeSchema objects have the isMemberOfPartialAttributeSet attribute set to TRUE. See also full replica; Global Catalog.
A logical division of a hard disk. Partitions make it easier to organize information. Each partition can be formatted for a different file system. A partition must be completely contained on one physical disk, and the partition table in the Master Boot Record for a physical disk can contain up to four entries for partitions.
partition knowledge table (PKT)
Repository of information about the Dfs topology and its mappings to the underlying physical shares. For a domain-based Dfs root, the PKT is stored in Active Directory and made available to each server that hosts a domain-based Dfs root. For a stand-alone Dfs root, the PKT is stored in the individual server's registry.
partition table
An area of the Master Boot Record that the computer uses to determine how to access the disk. The partition table can contain up to four partitions for each physical disk.
pass-through VPN connection
A less common combined Internet and intranet virtual private network (VPN) connection.
password authentication protocol (PAP)
A simple, plaintext authentication scheme for authenticating PPP connections. The user name and password are requested by the remote access server and returned by the remote access client in plaintext.
A sequence of directory (or folder) names that specifies the location of a directory, file, or folder within the Windows directory tree. Each directory name and file name within the path must be preceded by a backslash (\). For example, to specify the path of a file named Readme.doc located in the Windows directory on drive C, type C:\Windows\Readme.doc.
path maximum transmission unit (PMTU)
The maximum packet size that is supported by all of the network technologies in a path between a source and destination host.
path maximum transmission unit discovery
The process of discovering the maximum sized IP datagram that can be sent along a path without fragmentation.
pattern match
In Network Monitor, specific pattern of ASCII or hexadecimal data. A pattern match can be used in setting a filter or capture trigger. See also offset.
The state of a node that is a fully active member in the server cluster but cannot host groups. The paused state is provided for an administrator to perform maintenance. See also; failback; failover; node; offline.
PC Card
A removable device, approximately the size of a credit card, that can be plugged into a PCMCIA (Personal Computer Memory Card International Association) slot in a portable computer. PCMCIA devices can include modems, network adapters, and hard disk drives.
PC/SC smart card specification
An open standard for smart cards and smart card readers published by the PC/SC Workgroup, a consortium of industry-leading computer software and hardware manufacturers.
performance counter
In System Monitor, a data item associated with a performance object. For each counter selected, System Monitor presents a value corresponding to a particular aspect of the performance that is defined for the performance object. See also performance object.
Performance Monitor
A Windows NT administrative tool that monitors performance on local or remote computers. Performance Monitor is replaced by the Performance console in Windows 2000. See also System Monitor.
performance object
In System Monitor, a logical collection of counters that is associated with a resource or service that can be monitored. See also performance counter.
peripheral component interconnect (PCI)
A specification introduced by Intel Corporation that defines a local bus system that allows up to 10 PCI-compliant expansion cards to be installed in the computer.
permanent virtual circuit (PVC)
A virtual circuit assigned to a preconfigured static route.
A rule associated with an object to regulate which users can gain access to the object and in what manner. Permissions are granted or denied by the object's owner. See also object; privilege; user rights.
persistent connection
A connection that is always active. For instance, the WINS servers in Windows 2000 use persistent connections to constantly update their WINS databases.
persistent demand-dial connection
A demand-dial connection that uses a dial-up WAN technology when the cost of the link is fixed. A persistent demand-dial connection can be active 24 hours a day. Examples of WAN technologies for persistent demand-dial connections include local calls that use analog phone lines, leased analog lines, and flat-rate ISDN. If a persistent connection is lost, the calling router immediately attempts to reestablish the connection.
persistent route
Routes that are not based on the TCP/IP configuration, that are automatically added to the IP routing table when the TCP/IP protocol is started. Routes added to the IP routing table using the route utility with the "-p" command line option are recorded.
persistent router-to-router VPN connection
A scenario in which both the calling and answering routers are permanently connected to the Internet.
personal identification number (PIN)
A secret identification code that is used to protect smart cards from misuse. The PIN is similar to a password and is known only to the owner of the card. The smart card can be used only by someone who possesses the smart card and knows the PIN. See also smart card.
physical layer
A software layer that transmits bits from one computer to another and regulates the transmission of a stream of bits over a physical medium. This layer defines how the cable is attached to the network adapter and which transmission technique is used to send data over the cable.
physical media
A storage object that data can be written to, such as a disk or magnetic tape. A physical medium is referenced by its physical media ID (PMID).
physical stores
See certificate stores.
physical unit (PU)
An IBM Systems Network Architecture component that monitors and manages the resources of a network node as requested by the systems services control point.
A tool that verifies connections to one or more remote hosts. The ping command uses the ICMP Echo Request and Echo Reply packets to determine whether a particular IP system on a network is functional. Ping is useful for diagnosing IP network or router failures. See also Internet Control Message Protocol (ICMP).
ping of death
A denial of service attack where malicious users send one or multiple 64-KB ICMP Echo Request messages. The 64-KB messages are fragmented and must be reassembled at the destination host. For each separate 64-KB message, the TCP/IP protocol must allocate memory, tables, timers, and other resources. With enough fragmented messages, a host can become bogged down so that the servicing of valid information requests is impaired.
See public key infrastructure.
A Remote Storage identifier for an NTFS volume. See also Remote Storage.
Data that is not encrypted. Sometimes also called clear text. See also ciphertext; encryption; decryption.
Plug and Play
A set of specifications developed by Intel that allows a computer to automatically detect and configure a device and install the appropriate device drivers.
See Path Maximum Transmission Unit.
PMTU black hole router
A router that silently discards IP datagrams that require fragmentation when the Don't Fragment (DF) flag in the IP header is set to 1.
PMTU Discovery
See path maximum transmission unit discovery.
point of presence (POP)
The local access point for a network provider. Each POP provides a telephone number that allows users to make a local call for access to online services.
point-to-LAN remote access connectivity
In internetworking, when remote access clients are transparently connected to the network to which the remote access server is attached.
Point-to-Point Protocol (PPP)
An industry standard suite of protocols for the use of point-to-point links to transport multiprotocol datagrams. PPP is documented in RFC 1661.
point-to-point remote access connectivity
In internetworking, when remote access clients connect to remote access servers and are connected only to the remote access server.
Point-to-Point Tunneling Protocol (PPTP)
A tunneling protocol that encapsulates Point-to-Point Protocol (PPP) frames into IP datagrams for transmission over an IP-based internetwork, such as the Internet or a private intranet.
pointer (PTR) resource record
A resource record used in a reverse lookup zone created within the in-addr.arpa. domain to designate a reverse mapping of a host IP address to a host DNS domain name. See also resource record.
poison reverse
A process that, used with split horizon, improves RIP convergence over simple split horizon by advertising all network IDs. However, the network IDs learned in a given direction are advertised with a hop count of 16, indicating that the network is unavailable. See also split horizon.
policy agent
An Internet Protocol security mechanism that retrieves the computer's assigned Internet Protocol security policy from the Windows 2000 directory service (or the registry if the computer is not connected to a domain) and passes it to the IKE service to use when establishing secure communications. See also Internet Protocol security policy.
A mechanism that allows multiple sessions. A refinement to an IP address. In Device Manager, a connection point on a computer where devices that pass data in and out of a computer can be connected. For example, a printer is typically connected to a parallel port (also known as an LPT port), and a modem is typically connected to a serial port (also known as a COM port).
port monitor
A device that controls the computer port that provides connectivity to a local or remote print device.
port rule
For Network Load Balancing, a set of configuration parameters that determine the filtering mode to be applied to a range of ports. See also filtering mode.
Portable Operating System Interface for UNIX (POSIX)
An IEEE (Institute of Electrical and Electronics Engineers) standard that defines a set of operating-system services. Programs that adhere to the POSIX standard can be easily ported from one system to another. POSIX was based on UNIX system services, but it was created in a way that allows it to be implemented by other operating systems.
See Portable Operating System Interface for UNIX.
possible owner
A node on which a resource can operate, and which has been added to the resource's list of possible owners. Resources fail over only to possible owners.
A multivalued property that specifies the classes that can be legal parents of instances of this class. For an existing classSchema object, values can be added to this property but not removed.
Each value is the lDAPDisplayName of a class. You must ensure that the classes exist or will exist when the new class is written to the directory. If one of the classes does not exist, the classSchema object will fail to be added to the directory.
The full set of possible superiors is the union of the systemPossSuperiors and possSuperiors on this class as well as the systemPossSuperiors and possSuperiors properties of all inherited superclasses (structural or abstract classes). Note that possSuperiors are not inherited from auxiliary classes.
See power-on self test.
Post Office Protocol
A maildrop service that allows a client to retrieve mail that the server is holding for it. The most recent implementation is Version 3, or POP3.
A page-description language (PDL) developed by Adobe Systems for printing with laser printers. PostScript offers flexible font capability and high-quality graphics. It is the standard for desktop publishing because it is supported by imagesetters, the high-resolution printers used by printing services for commercial typesetting. See also printer control language (PCL); page-description language (PDL).
PostScript printer
A printer that uses the PostScript page-description language (PDL) to create text and graphics on the output medium, such as paper or overhead transparency. See also page-description language (PDL); PostScript.
power-on self test (POST)
A set of routines stored in read-only memory (ROM) that tests various system components such as RAM, the disk drives, and the keyboard, to see if they are properly connected and operating. If problems are found, these routines alert the user with a series of beeps or a message, often accompanied by a diagnostic numeric value. If the POST is successful, it passes control to the bootstrap loader.
See Point-to-Point Protocol.
PPTP client
See Point-to-Point Tunneling Protocol client.
PPTP server
See Point-to-Point Tunneling Protocol server.
pre-shared key
An authentication technology used by IPSec. Pre-shared means the parties must agree on a shared, secret key that becomes part of the IPSec policy. Information is encrypted before transmission using the shared key, and decrypted on the receiving end using the same key. If the receiver can decrypt the information, identities are considered authenticated.
preferred server
The NetWare bindery-based (NetWare 2.x, and 3.x) server to which you connect by default when you log on to your computer. The preferred server validates your user credentials and is queried when you request information about resources available on the NetWare network.
premigrated file
An object that has been copied to remote storage in preparation for truncation, but remains on the managed volume. When it is truncated, it will become a placeholder for the file.
presentation layer
A network layer that translates data from the application layer into an intermediary format. This layer also manages security issues by providing such services as data encryption, and compresses data so that fewer bits need to be transferred on the network.
primary domain controller
A Windows NT 4.0 and 3.51 domain controller that is the first one created in the domain and contains the primary storehouse for domain data. Within the domain, the primary domain controller periodically replicates its data to the other domain controllers, known as backup domain controllers. See also backup domain controller.
primary domain controller emulator
The first Windows 2000 domain controller created in a domain. In addition to replicating domain data to the other Windows 2000 domain controllers, the primary domain controller emulator acts like a Windows NT primary domain controller in that it performs primary domain controller duties, including replication of domain data to any backup domain controllers within the domain. If the primary domain controller emulator goes offline, another Windows 2000 domain controller in the domain can assume the primary domain controller emulator role. See also primary domain controller; backup domain controller.
primary domain controller emulator master
The domain controller assigned to act as a Windows NT primary domain controller (PDC) to service network clients that do not have Active Directory client software installed, and to replicate directory changes to any Windows NT backup domain controllers (BDCs) in the domain. For a Windows 2000 domain operating in native mode, the PDC emulator master receives preferential replication of password changes performed by other domain controllers in the domain and handles any password authentication requests that fail at the local domain controller. At any time, there can be only one PDC emulator in a particular domain. See also Active Directory; backup domain controller; domain controller; multimaster replication; operations master; primary domain controller; replication.
primary domain name
The name used to indicate the domain in which the computer resides. See also connection-specific domain name.
primary partition
A volume created using unallocated space on a basic disk. Windows 2000 and other operating systems can start from a primary partition. As many as four primary partitions can be created on a basic disk, or three primary partitions and an extended partition. Primary partitions can be created only on basic disks and cannot be subpartitioned. See also basic disk; dynamic volume; extended partition; partition.
primary server
An authoritative DNS server for a zone that can be used as a point of update for the zone. Only primary masters have the ability to be updated directly to process zone updates, which include adding, removing, or modifying resource records that are stored as zone data. Primary masters are also used as the first sources for replicating the zone to other DNS servers.
primary token
The access token assigned to a process to represent the default security information for that process. It is used in security operations by a thread working on behalf of the process itself rather than on behalf of a client. See also access token; impersonation token; process.
primary zone
A copy of the zone that is administered locally. See also zone, secondary zone.
print device
A hardware device used for printing that is commonly called a printer. See also logical printer.
print processor
A PostScript program that understands the format of a document's image file and how to print the file to a specific printer or class of printers. See also PostScript.
print server
A computer that is dedicated to managing the printers on a network. The print server can be any computer on the network.
Print Server for Macintosh
A Services for Macintosh service that enables Macintosh clients to send and spool documents to printers attached to a computer running Windows 2000 Server, and allows clients to send documents to printers on an AppleTalk network. Print Server for Macintosh is also called MacPrint.
print server service
A service that receives print jobs from remote print clients. Different services are provided for different clients.
Print Services for UNIX
A print server service for UNIX clients. See also print server service.
print sharing
The ability for a computer running Windows 2000 Professional or Windows 2000 Server to share a printer on the network.
print spooler
Software that accepts a document sent to a printer and then stores it on disk or in memory until the printer is ready for it. This collection of dynamic-link libraries (DLLs) receives, processes, schedules, and distributes documents for printing. The term spooler is an acronym created from "simultaneous print operations online." See also spooling.
printer control language (PCL)
The page-description language (PDL) developed by Hewlett Packard for their laser and inkjet printers. Because of the widespread use of laser printers, this command language has become a standard in many printers. See also page-description language (PDL); PostScript.
printer driver
A program designed to allow other programs to work with a particular printer without concerning themselves with the specifics of the printer's hardware and internal language. By using printer drivers that handle the subtleties of each printer, programs can communicate properly with a variety of printers. See also printer control language (PCL); PostScript.
printer fonts
Fonts residing in or intended for a printer. A printer font, usually located in the printer's read-only memory (ROM), can be internal, downloaded, or on a font cartridge. See also font.
printer job language (PJL)
The printer command language developed by Hewlett Packard that provides printer control at the print-job level. Using PJL commands, default printer settings such as the number of copies to print can be changed. PJL commands also permit switching printer languages between print jobs without action by the user. If bi-directional communication is supported, a PJL-compatible printer can send information such as printer model and job status to the print server. See also printer control language (PCL); page-description language (PDL); PostScript.
printer permissions
Permissions that specify the type of access that a user or group has to a printer. The printer permissions are Print, Manage Printers, and Manage Documents.
printers folder
The folder in Control Panel that contains the Add Printer wizard and icons for all the printers installed on your computer.
A precedence ranking that determines the order in which the threads of a process are scheduled for the processor.
priority inversion
The mechanism that allows low-priority threads to run and complete execution rather than being preempted and locking up a resource such as an I/O device.
private address space
The set of private addresses. The private address space consists of the following three blocks of addresses:,,
private addresses
IP addresses that are designed to be used by organizations for private intranet addressing within one of the following blocks of addresses:,,
private key
The secret half of a cryptographic key pair that is used with a public key algorithm. Private keys are typically used to digitally sign data and to decrypt data that has been encrypted with the corresponding public key. See also public key.
private ports
See dynamic ports.
A user's right to perform a specific task, usually one that affects an entire computer system rather than a particular object. Privileges are assigned by administrators to individual users or groups of users as part of the security settings for the computer. See also access token; permission; user rights.
privileged mode
Also known as kernel mode, the processing mode that allows code to have direct access to all hardware and memory in the system.
An operating system object that consists of an executable program, a set of virtual memory addresses, and one or more threads. When a program runs, a Windows 2000 process is created. See also thread.
promiscuous mode
A feature of the network adapter that supports the detection of all frames sent over the network segment.
protected storage service
A service that provides applications with a place to store per-user data that must be kept secret or free from modification. Protected storage uses the Hash-based Message Authentication Code (HMAC) and the SHA1 cryptographic hash function to encrypt the user's master key.
protection against wrapped sequence numbers (PAWS)
The use of TCP timestamps to prevent a TCP receiver from misinterpreting a new sequence number with an old sequence number that it is expecting to receive.
A set of rules and conventions by which two computers pass messages across a network. Networking software usually implements multiple levels of protocols layered one on top of another. Windows NT and Windows 2000 include NetBEUI, TCP/IP, and IPX/SPX-compatible protocols.
protocol number
A field in the IP packet which identifies the next level higher in the protocol stack.
A process that removes unavailable printers from Active Directory listing. An orphan pruner program running on the domain controller periodically checks for orphaned printers, that is, printers that are offline or powered down, and deletes the printer objects of the printers it cannot find.
PTR (pointer) resource record
See pointer (PTR) resource record.
public addresses
IP addresses assigned by the Internet Network Information Center (InterNIC) that are guaranteed to be globally unique and reachable on the Internet.
public key
The non-secret half of a cryptographic key pair that is used with a public key algorithm. Public keys are typically used to verify digital signatures or decrypt data that has been encrypted with the corresponding private key. See also private key.
public key certificate
A digital passport that serves as proof of identity. Public key certificates are issued by a certification authority (CA). See also certification authority (CA); Kerberos authentication protocol.
public key cryptography
A method of cryptography in which two different but complimentary keys are used: a public key and a private key for providing security functions. Public key cryptography is also called asymmetric key cryptography. See also cryptography; public key; private key.
public key cryptography standards (PKCS)
A family of standards for public key cryptography that includes RSA encryption, Diffie-Hellman key agreement, password-based encryption, extended-syntax, cryptographic message syntax, private key information syntax, and certificate request syntax, as well as selected attributes. Developed, owned and maintained by RSA Data Security, Inc. See also certificate; public key.
public key infrastructure (PKI)
The term generally used to describe the laws, policies, standards, and software that regulate or manipulate certificates and public and private keys. In practice, it is a system of digital certificates, certification authorities, and other registration authorities that verify and authenticate the validity of each party involved in an electronic transaction. Standards for PKI are still evolving, even though they are being widely implemented as a necessary element of electronic commerce. See also certificate; certification authority; public key cryptography.
public-key algorithm
An asymmetric cipher that uses two keys, one for encryption, the public key, and the other for decryption, the private key. See also public key encryption; public key; private key; symmetric-key algorithm.
public-key encryption
A method of encryption that uses two encryption keys that are mathematically related. One key is called the private key and is kept confidential. The other is called the public key and is freely given out to all potential correspondents. In a typical scenario, a sender uses the receiver's public key to encrypt a message. Only the receiver has the related private key to decrypt the message. The complexity of the relationship between the public key and the private key means that, provided the keys are long enough, it is computationally infeasible to determine one from the other. Public key encryption is also called asymmetric encryption. See also public key; symmetric key encryption.
public/private key pair
A set of cryptographic keys used for public key cryptography. One key is used to encrypt, the other to decrypt. See also public key; private key.
published applications
An application that is available to users managed by a Group Policy object. Each user decides whether or not to install the published application by using Add/Remove Programs in Control Panel.
pull partner
A Windows Internet Name Service (WINS) feature that pulls in replicas from its push partner by requesting them and then accepting the pushed replicas. See also push partner.
push partner
A Windows Internet Name Service (WINS) feature that sends replicas to its pull partner upon receiving a request from the pull partner. See also pull partner.



QoS Admission Control Service
A software service that controls bandwidth and network resources on the subnet to which it is assigned. Important applications can be given more bandwidth, less important applications less bandwidth. The QoS Admission Control Service can be installed on any network-enabled computer running Windows 2000.
Quality of Service (QoS)
A set of quality assurance standards and mechanisms for data transmission, implemented in Windows 2000.
quantization noise
The noise introduced on an analog dial-up connection due to an analog to digital conversion.
Also known as a time slice, the maximum amount of time a thread can run before the system checks for another ready thread of the same priority to run
A list of programs or tasks waiting for execution. In Windows 2000 printing terminology, a queue refers to a group of documents waiting to be printed. In NetWare and OS/2 environments, queues are the primary software interface between the application and print device; users submit documents to a queue. In Windows 2000, however, the printer is that interface; the document is sent to a printer, not a queue.
quorum disk
The cluster disk on which configuration data is maintained in the quorum log, cluster database checkpoint, and resource checkpoints. The quorum disk is managed by the Quorum resource, which is usually a special kind of Physical Disk resource.
quorum log
The record, stored on the quorum disk, of changes that have been made to the cluster database of the registry since the last cluster database checkpoint was taken. Also known as the recovery log or change log.
Quorum resource
A quorum-capable resource (usually a Physical Disk resource) that has been configured to manage the quorum log and cluster database checkpoints, which comprise the configuration data necessary for recovery of the cluster.
quorum-capable resource
In a server cluster, a resource that can act as the cluster's Quorum resource. To be quorum-capable, a resource must provide shared storage and a means of persistent arbitration. The Cluster service defines only Physical Disk resources as quorum-capable.



See redundant array of independent disks.
RAID-5 volume
A fault-tolerant volume with data and parity striped intermittently across three or more physical disks. Parity is a calculated value that is used to reconstruct data after a failure. If a portion of a physical disk fails, you can recreate the data that was on the failed portion from the remaining data and parity. Also known as a striped volume with parity.
See random access memory.
random access memory (RAM)
Memory that can be read from or written to by a computer or other devices. Information stored in RAM is lost when the computer is turned off. See also virtual memory.
Optional. An integer that specifies the lower value of the range of values for this attribute. All values set for this attribute must be greater than or equal to this value. If both rangeLower and rangeUpper are set, rangeLower must be less than rangeUpper. For integers, value means the value of the integer. For string syntaxes, value means the number of characters in the string. For octet strings, value means the number of bytes.
Optional. An integer that specifies the upper value of the range of values for this attribute. All values set for this attribute must be less than or equal to this value. If both rangeLower and rangeUpper are set, rangeLower must be less than rangeUpper. For integers, value means the value of the integer. For string syntaxes, value means the number of characters in the string. For octet strings, value means the number of bytes.
raster fonts
Fonts that are stored as bitmaps; also called bit-mapped fonts. Raster fonts are designed with a specific size and resolution for a specific printer and cannot be scaled or rotated. If a printer does not support raster fonts, it will not print them.
Specifies the ldapDisplayName of the attribute that will be the naming attribute for the new class -- if different than the default ("cn").
Use of a naming attribute other than "cn" is discouraged. Naming attributes should be drawn from the well-known set (OU, CN, O, L and DC) that is understood by all LDAP version 3 clients.
read-only memory (ROM)
A semiconductor circuit that contains information that cannot be modified.
An operation that retrieves the removed, unnamed data attribute from remote storage and places it on the managed volume. The placeholder is replaced on the managed volume with a copy of the file from remote storage. Upon completion of the recall, the file becomes a premigrated file.
Record Level Input/Output (RLIO)
An IBM distributed database protocol that provides record level access to nonrelational data on IBM host operating systems, including MVS, OS/390, and OS/400.
The process of using a log file to restore a database to a consistent state after a system crash and to restore a database from a backup to the most recent state that is recorded in the log file after a media failure. See also authoritative restore.
recovery agent
An account that can be used to decrypt a file encrypted by using the Encrypting File System (EFS) if the file owner's decryption key becomes unavailable.
recovery log
See quorum log.
One of the three process types for DNS name resolution. In this process, a resolver (a DNS client) requests that a DNS server provide a complete answer to a query that does not include pointers to other DNS servers. When a client makes a query and requests that the server use recursion to answer, it effectively shifts the workload of resolving the query from the client to the DNS server. If the DNS server supports and uses recursion, it will contact other DNS servers as necessary (using iterative queries on behalf of the client) until it obtains a definitive answer to the query. This type of resolution allows the client resolver to be small and simple. See also iteration; iterative query; recursive query.
recursive name query
See recursive query.
recursive query
A query made to a DNS server in which the requester asks the server to assume the full workload and responsibility for providing a complete answer to the query. The DNS server then uses separate iterative queries to other DNS servers on behalf of the requester to assist in completing an answer for the recursive query. See also iteration; iterative query; recursion.
In UNIX, to send the standard output to a file instead of to the terminal or to take the standard input from a file instead of from the terminal.
See Windows 2000 Redirector.
redundant array of independent disks (RAID)
A method used to standardize and categorize fault-tolerant disk systems. Six levels gauge various mixes of performance, reliability, and cost. Windows 2000 provides three of the RAID levels: Level 0 (striping) which is not fault-tolerant, Level 1 (mirroring), and Level 5 (striped volume with parity). See also fault tolerance; mirrored volume; RAID-5 volume; striped volume.
In Dfs, information that maps a DNS name in the logical namespace to the UNC equivalent name of a physical share. When a Dfs client gains access to a shared folder in the Dfs namespace, the Dfs root server returns a referral for the client to use in locating the shared folder. In DNS, a pointer to an authoritative DNS server that is authoritative for a lower level of the domain namespace. See also LDAP referral.
To update displayed information with current data.
refresh interval
In DNS, a 32-bit time interval that needs to elapse before the zone data is refreshed. When the refresh interval expires, the secondary server checks with a master server for the zone to see if its zone data is still current or if it needs to be updated by using a zone transfer. This interval is set in the start of authority (SOA) resource record for each zone. See also resource record; secondary server; start of authority (SOA) resource record; zone; zone transfer.
refresh rate
The frequency with which the video screen is retraced in order to prevent the image from flickering. The entire image area of most monitors is refreshed approximately 60 times per second.
registered ports
Ports in the range from 1024 -- 49151.
In Windows 2000, Windows NT, Windows 98, and Windows 95, a database of information about a computer's configuration. The registry is organized in a hierarchical structure and consists of subtrees and their keys, hives, and entries.
registry boot
The default boot option used by most Microsoft DNS servers. When registry boot is used, the DNS service is started by using the DNS Service parameters and their values that are stored in the Windows 2000 registry. A Berkeley Internet Name Domain (BIND) boot file may be used as an alternative to this method of boot configuration for the DNS service. See also BIND boot file.
registry key
An identifier for a record or group of records in the registry.
regroup event
In a server cluster, when one node detects a communication failure with another cluster node, the first node's broadcast of a message to the entire cluster causing all members to verify their view of the current cluster membership.
relative distinguished name
The part of an object name that is an attribute of the object itself. For example, given the distinguished name of cn=JamesSmith,ou=Managers,dc=Reskit,dc=com, the relative distinguished name of the JamesSmith user object is cn=James Smith. The relative distinguished name of the parent object is ou=Managers. The relative distinguished name of the domain object is dc=Reskit.
relative ID (RID)
The part of a security ID (SID) that uniquely identifies an account or group within a domain. See also security ID.
relative ID master
The domain controller assigned to allocate sequences of relative IDs to each domain controller in its domain. Whenever a domain controller creates a security principal (user, group, or computer object), the domain controller assigns the object a unique security ID. The security ID consists of a domain ID that is the same for all security IDs created in a particular domain, and a relative ID that is unique for each security ID created in the domain. At any time, there can be only one relative ID master in a particular domain. See also Active Directory; domain controller; multimaster replication; operations master; replication.
relay agents
A small program that relays a certain type of message to others on a network. In TCP/IP networking, routers are used to interconnect hardware and software used on different subnets and forward IP packets between the subnets.
remote access policy
A set of conditions and connection parameters that define the characteristics of the incoming connection and the set of constraints imposed on it. Remote access policies determine whether a specific connection attempt is authorized to be accepted.
remote access server
A Windows 2000 Server--based computer running the Routing and Remote Access service and configured to provide remote access.
Remote Access Service (RAS)
A Windows NT 4.0 service that provides remote networking for telecommuters, mobile workers, and system administrators who monitor and manage servers at multiple offices.
remote access VPN connection
A connection made by a remote access client, a single user, that connects to a private network. The VPN server provides access to the resources of the VPN server or to the entire network to which the VPN server is attached. The packets sent from the remote client across the VPN connection originate at the remote access client computer.
remote computer
A computer that is accessible only by using a communications line or a communications device, such as a network adapter or a modem.
remote installation boot floppy (RBFG.exe)
A tool that is used to generate a remote installation boot floppy disk. The remote installation boot floppy disk is used to start the process of remote operating system installation for computers which lack a supported PXE-based remote boot ROM. The remote installation floppy disk simulates the PXE boot process on computers with a supported Peripheral Component Interconnect (PCI) network adapter.
Remote Installation Preparation wizard (RIPrep.exe)
A component in Remote Installation Services that is used to create operating system images and to install them on the RIS server.
Remote Installation Service (RIS)
Software services that allow a user to install Windows 2000 Professional from a Remote Install server with minimal interaction.
Remote Installation Service setup (RISetup.exe)
A component in Remote Installation Services that is used to set up the RIS server.
remote operating system installation
See Remote Installation Services (RIS).
remote procedure call (RPC)
A message-passing facility that allows a distributed application to call services that are available on various computers in a network. Used during remote administration of computers.
remote storage
For Windows 2000 Server, removable tapes in a library used for secondary data storage. Specified tapes used for secondary data storage are managed by Remote Storage and contain data that is either stored on, or has been removed from, local storage to free up disk space. See also local storage.
Remote Storage
A hierarchical storage management application that migrates data from primary storage to secondary storage. Hierarchical storage management makes sure that data is stored in the most cost-effective method possible. Frequently accessed data is stored on high-performance disks, while data that is not accessed as often is migrated to cheaper media until it is needed again.
Removable Storage
A service used for managing removable media (such as tapes and discs) and storage devices (libraries). Removable Storage allows applications to access and share the same media resources. See also library.
renewal interval
The amount of time available to a client to refresh its name with the WINS server. If the name is not renewed by the end of this period, the name is released. Renewal interval is also known as the name refresh timeout, or the Time To Live (TTL).
The process of converting an earlier version of an application to take advantage of many Windows Installer features, including the ability to advertise the application to users, the ability of the software to repair itself if essential files are deleted or corrupted, and the ability of users to install the application with elevated privileges.
reparse points
New NTFS file system objects that have a definable attribute containing user-controlled data and are used to extend functionality in the input/output (I/O) subsystem.
A feature that allows users with mobility impairments to adjust the repeat rate or to disable the key-repeat function on the keyboard. (See FilterKeys)
replay attack
An attempt to circumvent an authentication protocol by copying authentication messages from a legitimate client and then resending them during the impostor's own authentication to the server. See also nonce.
In Active Directory replication, a copy of a logical Active Directory partition that is synchronized through replication between domain controllers that hold copies of the same directory partition. "Replica" can also refer to the composite set of directory partitions held by any one domain controller. These are specifically called a directory partition replica and server replica, respectively. See also full replica; partial replica.
replicated update
In Active Directory replication, a write to a property on one replica as the result of replication of an update that originated at another replica. See also originating update.
The process of copying data from a data store or file system to multiple computers that store the same data for the purpose of synchronizing the data. In Windows 2000, replication of the directory service occurs through Active Directory replication, and replication of the file system occurs through the File Replication service. See also Active Directory replication; Distributed file system; File Replication service.
replication convergence
In multimaster replication, the guarantee that all replicas eventually converge on the same set of values if the system is allowed to reach a steady state, in which no new updates are occurring and all previous updates have been completely replicated. In a steady state, all replicas of a directory partition have the same objects, the same attributes, and the same values. See also Active Directory replication; loose consistency; multimaster replication.
replication cost
A numeric setting on a site link object. The total cost of a replication path between two sites is the sum of the costs of the links on the least costly route. Higher cost numbers represent more expensive messages. When the Knowledge Consistency Checker selects a site to obtain a source for a given directory partition, it selects the site with the least cost.
replication latency
In Active Directory replication, the delay between the time an update is applied to a given replica of a directory partition and the time it is applied to some other replica of the same directory partition. A server will receive changes no sooner than either
It is notified of a change from its neighbor in the same site, or
Its periodic replication timer expires.
Latency is sometimes referred to as propagation delay. See also multimaster replication.
replication partner
A domain controller that acts as a replication source for a given domain controller. The Knowledge Consistency Checker determines which servers are best suited to replicate with each other, and generates the list of domain controllers that are candidates for replication partners from the list of domain controllers in the site on the basis of connectivity, history of successful replication, and matching of full and partial replicas. A domain controller has some number of direct replication partners with whom it replicates for a given directory partition. The other domain controllers in the site replicate transitively with this domain controller. See also store-and-forward replication.
replication topology
In Active Directory replication, the set of connections that domain controllers use to replicate information among themselves, both within sites and between sites. The site topology is defined by site link objects. The connection topology is defined by connection objects. See also Active Directory replication; connection object; domain controller; site link.
replication transport
The protocols that are used to transport replication data over the network. For intrasite replication, data is always transferred by using RPC over IP. For intersite replication, data is transferred using either RPC synchronous transport (RPC over IP) or intersite messaging asynchronous transport (SMTP over IP). The choice of transport is controlled by the transport object (IP or SMTP) within which the site links are created in Active Directory. Different transports have different characteristics that make them better suited to different environments.
Request for Comments (RFC)
A document that defines a standard. RFCs are published by the Internet Engineering Task Force (IETF) and other working groups.
A specific IP address within a scope permanently reserved for a specific DHCP client. Client reservations are made in the DHCP database using DHCP Manager and based on a unique client device identifier for each reserved entry. In QoS ACS, an allocation of network resources, contained in a Resource Reservation Protocol (RSVP) reservation request administered by the QoS Admission Control Service. See also Dynamic Host Configuration Protocol (DHCP).
reserved state
A state that indicates that a side is the second side of a two-sided medium. It is unavailable for allocation to all but the application that has already allocated the first side.
DNS client programs used to look up DNS name information. Resolvers can be either a small "stub" (a limited set of programming routines that provide basic query functionality) or larger programs that provide additional lookup DNS client functions, such as caching. See also caching, caching resolver.
Any part of a computer system or network, such as a disk drive, printer, or memory, that can be allotted to a program or a process while it is running. For Device Manager, any of four system components that control how the devices on a computer work. These four system resources are: interrupt request (IRQ) lines, direct memory access (DMA) channels, input/output (I/O) ports, and memory addresses. In a server cluster, an instance of a resource type; the Cluster service manages various physical or logical items as resources. See also direct memory access (DMA); input/output (IO) port; interrupt request (IRQ) lines; memory address.
Resource DLL
A dynamic-link library that defines default properties and behavior for a specific type of resource. The resource DLL contains an implementation of the Server Cluster API for a specific type of resource and is loaded into the address space of its Resource Monitor. See also dynamic-link library; Resource Monitor.
resource domain
A Windows NT domain that holds account data for workstations and resource computers (for example, file and print servers) associated with an account or master domain. See account domain; master domain.
Resource Monitor
The server cluster component that manages communication between a node's Cluster service and one or more of its resources. See also node; resource.
resource record (RR)
Information in the DNS database that can be used to process client queries. Each DNS server contains the resource records it needs to answer queries for the portion of the DNS namespace for which it is authoritative.
resource record set (RRset)
A collection of more than one resource record returned in a query response by a DNS server. Resource record sets (RRsets) are used in responses where more than one record is part of the answer. See also resource record.
Resource Reservation Protocol (RSVP)
A signaling protocol that allows the sender and receiver in a communication to set up a reserved highway for data transmission with a specified quality of service.
resource type
A server cluster object used to manage resources of similar characteristics. A resource type is associated with a resource DLL that manages all the resources of that type in the cluster.
response time
The amount of time required to do work from start to finish. In a client/server environment, this is typically measured on the client side.
reverse domain
A special domain, named in-addr.arpa, that is used for IP address-to-name mappings (referred to as reverse lookup).
reverse lookup
A query in which the IP address is used to determine the DNS name for the computer.
reverse lookup zone
A zone that contains information needed to perform reverse lookups. See also reverse lookup.
revision level
One of three levels that can be viewed in Network Monitor traces which refer to Dfs client compatibility. Windows NT 4.0, Windows 95 and Windows 98 clients support Dfs revision level 2; Windows 2000 clients support revision level 3. There are no known version 1 clients. Dfs clients and servers negotiate the highest common protocol revision supported.
See Request for Comments.
See routing information protocol.
Rivest-Shamir-Adleman (RSA) cryptographic algorithms
A widely used set of public key algorithms that are available from RSA Data Security, Inc. The RSA cryptographic algorithms are supported by the Microsoft Base Cryptographic Service Provider and the Microsoft Enhanced Cryptographic Service Provider.
roaming profile
A set of user-specific settings in a single location on a server so that users can move from computer to computer while retaining the same profile.
roaming user profile
A server-based user profile that is downloaded to the local computer when a user logs on and is updated both locally and on the server when the user logs off. A roaming user profile is available from the server when logging on to any computer that is running Windows 2000 Professional or Windows 2000 Server. When logging on, the user can use the local user profile if it is more current than the copy on the server.
rogue DHCP server
An unauthorized DHCP server.
rolling upgrade
In a cluster, the process of upgrading cluster nodes by turns while the other nodes continue to provide service.
The highest or uppermost level in a hierarchically organized set of information. The root is the point from which further subsets are branched in a logical sequence that moves from a broad or general focus to narrower perspectives.
root authority
See root certification authority.
root certificate
A self-signed certification authority certificate. It is called a root certificate because it is the certificate for the root authority. The root authority must sign its own certificate because there is no higher certifying authority in the certification hierarchy. See also certificate; certification authority; root certification authority.
root certification authority
The most trusted certification authority (CA), which is at the top of a certification hierarchy. The root CA has a self-signed certificate. Also called the root authority. See also certification authority; certification path; root certificate.
root directory
The top-level directory (or folder) on a computer, a partition or volume, or Macintosh-accessible volume. See also directory tree.
root DNS server
A DNS server authoritative for the root of the Internet. See also DNS server.
root domain
The beginning of the Domain Name System (DNS) namespace. In Active Directory, the initial domain in an Active Directory tree. Also the initial domain of a forest.
root hints
Local information stored on a DNS server that provides helping resource records to direct the server to its root servers. For the Microsoft DNS service, the root hints are stored in the file Cache.dns, located in the \%SystemRoot%\System32\Dns folder. Root hints are also called cache hints. See also authoritative; namespace; root; root servers; systemroot.
root hints file
See root hints.
root servers
DNS servers that are authoritative for the root of the namespace. See also authoritative; namespace; root; root hints.
round robin
A simple mechanism used by DNS servers to share and distribute loads for network resources. Round robin is used to rotate the order of resource record (RR) data returned in a query answer when multiple RRs exist of the same RR type for a queried DNS domain name.
round trip time estimation (RTTE)
The amount of time necessary to complete a round trip from sender to receiver and back.
route determination process
The process of selecting an interface and forwarding IP address based on the destination IP address of an IP datagram and the contents of the IP routing table.
route flapping
A condition on an internetwork in which a network segment becomes intermittently available.
route summarization
The practice of combining multiple network IDs into a single route in the routing table. With proper planning, hierarchical routing infrastructures can use route summarization.
routemon utility
A scripting utility for the Routing and Remote Access service that is intended as a command-line alternative to the router administration user interface available through the Routing and Remote Access Manager.
A network device that helps LANs and WANs achieve interoperability and connectivity and that can link LANs that have different network topologies, such as Ethernet and Token Ring.
router discovery
The use of Internet Control Message Protocol (ICMP) messages to provide fault tolerance for the configuration of a host's default gateway.
router-to-router VPN connection
A connection made by a router that connects two portions of a private network. The VPN server provides a routed connection to the network to which the VPN server is attached. On a router-to-router VPN connection, the packets sent from either router across the VPN connection typically do not originate at the routers.
The process of forwarding a packet through an internetwork from a source host to a destination host.
routing domain
A collection of contiguous network segments connected by routers that share the routing information for the routes within the domain.
Routing Information Protocol (RIP)
An industry standard distance vector routing protocol used in small to medium sized IP and IPX internetworks.
routing infrastructure
The structure and topology of the internetwork.
routing loop
A path through an internetwork for a network ID that loops back onto itself.
routing protocol
A series of periodic or on-demand messages containing routing information that is exchanged between routers to exchange routing information and provide fault tolerance. Except for their initial configuration, dynamic routers require little ongoing maintenance, and therefore can scale to larger internetworks.
routing table
A database of routes containing information on network IDs, forwarding addresses, and metrics for reachable network segments on an internetwork.
routing table maintenance protocol (RTMP)
A distance vector routing protocol used on AppleTalk internetworks.
RSA cryptographic algorithms
See Rivest-Shamir-Adleman (RSA) cryptographic algorithms.
An IPSec policy mechanism that governs how and when an IPSec policy protects communication. A rule provides the ability to trigger and control secure communication based on the source, destination, and type of IP traffic. Each rule contains a list of IP filters and a collection of security actions that take place upon a match with that filter list.



See Security Association.
SAP table
The service and IPX internetwork address information is collected in a database called a SAP table by IPX routers and Novell NetWare servers.
A measure of how well a computer, service, or application can expand to meet increasing performance demands. For server clusters, the ability to incrementally add one or more systems to an existing cluster when the overall load of the cluster exceeds its capabilities.
The process of adding processors to a system to achieve higher throughput.
The process of cleaning and removing extinct or outdated name data from the WINS database.
The universe of objects that can be stored in the directory is defined in the schema. For each object class, the schema defines what attributes an instance of the class must have, what additional attributes it may have, and what object class can be a parent of the current object class.
The Active Directory schema is implemented as a set of object class instances stored in the directory. This is very different than many directories which have a schema but store it as a text file read at startup. Storing the schema in the directory has many advantages. For example, user applications can read it to discover what objects and properties are available.
The Active Directory schema can be updated dynamically. That is, an application can extend the schema with new attributes and classes and use the extensions immediately. Schema updates are accomplished by creating or modifying the schema objects stored in the directory. Like every object in the Active Directory, schema objects are protected by ACLs, so only authorized users may alter the schema.
schema cache
All changes made to Active Directory are validated first against the schema. For performance reasons, this validation takes place against a version of the schema that is held in memory on the domain controllers. This "in-memory version," called the schema cache, is updated automatically after the on-disk version has been updated. The schema cache provides mapping between attribute identifiers, such as a database column identifier or a MAPI identifier, and the in-memory structures that describe those attributes. The schema cache also provides lookups for class identifiers to get in-memory structures describing those classes.
schema master role
The domain controller that holds the schema master role is the only domain controller that can perform write operations to the directory schema. Those schema updates are replicated from the schema master to all other domain controllers in the forest.
A GUID that uniquely identifies the attribute. It is recommended that you generate your own GUID for each attribute so that all installations of your schema extension use the same schemaIDGUID to refer to the attribute. If no value is specified, Active Directory generates a GUID.
A type of program consisting of a set of instructions to an application or utility program. A script usually expresses instructions by using the application's or utility's rules and syntax, combined with simple control structures such as loops and if/then expressions. "Batch program" is often used interchangeably with "script" in the Windows environment.
search base
In an LDAP search, the distinguished name of the search base object, which defines the location in the directory from which to begin searching.
search filter
An argument in an LDAP search that allows certain entries in the subtree and excludes others. Filters allow you to define search criteria and give you better control to achieve more effective and efficient searches.
search scope
Defines how deep to search within the search base. Base, or zero levels, searches the base object only (a read of that object). One level searches objects immediately subordinate to the base object, but not including the base object itself. Subtree searches the entire subtree of which the base distinguished name is the topmost object, including that base object. Also called a deep search.
An integer value that contains bit flags. The attribute is indexed if the least significant bit is set to 1, or non-indexed if the bit is zero. The searchFlags property of each property's attributeSchema object defines whether a property is indexed (indexed has a value of 1; nonindexed is 0).
The four currently defined bits for this attribute are as follows:
1 = Index over attribute only;
2 = Index over container and attribute;
4 = Add this attribute to the Ambiguous Name Resolution (ANR) set (should be used in conjunction with 1);
8 = Preserve this attribute on logical deletion (that is, make this attribute available on tombstones).
second-level domain
A domain in the Domain Name System (DNS) that is immediately under a top--level domain.
secondary server
An authoritative DNS server for a zone that is used as a source for replication of the zone to other servers. Secondary masters only update their zone data by transferring zone data from other DNS servers and do not have the ability to perform zone updates. See also master server; zone transfer.
secondary storage
A storage device used to store data that has been migrated from managed volumes. Secondary storage includes the part of the hard disk that is used for a migration staging area.
secondary zone
A copy of the zone that must be replicated from a server containing the primary zone.
secret key
An encryption key that two parties share with each other and with no one else. See also symmetric key encryption.
secure dynamic update
The process by which a secure dynamic update client submits a dynamic update request to a DNS server, and the server attempts the update only if the client can prove its identity and has the proper credentials to make the update. See also dynamic update.
secure electronic transaction (SET)
A standard protocol that is used for securing online credit card payments that are made over the Internet.
Secure Sockets Layer (SSL)
A proposed open standard developed by Netscape Communications for establishing a secure communications channel to prevent the interception of critical information, such as credit card numbers. Primarily, it enables secure electronic financial transactions on the World Wide Web, although it is designed to work on other Internet services as well.
Secure/Multipurpose Internet Mail Extensions (S/MIME)
An extension of MIME to support secure mail. It enables message originators to digitally sign e-mail messages to provide proof of message origin and data integrity. It also enables messages to be transmitted in encrypted format to provide confidential communications. See also Multipurpose Internet Mail Extensions (MIME).
Security Accounts Manager (SAM)
A protected subsystem that manages user and group account information. In Windows NT 4.0, both local and domain security principals are stored by SAM in the registry. In Windows 2000, workstation security accounts are stored by SAM in the local computer registry, and domain controller security accounts are stored in Active Directory.
security administrator
A user who has been assigned the right to manage auditing and the security log. By default, this user right is granted to the Administrators group. See also auditing; system access control list (SACL); user rights.
security association (SA)
A set of parameters that defines the services and mechanisms necessary to protect Internet Protocol security communications. See also Internet Protocol security (IPSec).
security context
The security attributes or rules that are currently in effect. For example, the rules that govern what a user can do to a protected object are determined by security information in the user's access token and in the object's security descriptor. Together, the access token and the security descriptor form a security context for the user's actions on the object. See also access token; security descriptor.
security descriptor
A data structure that contains security information associated with a protected object. Security descriptors include information about who owns the object, who may access it and in what way, and what types of access will be audited. See also access control list; object.
security groups
Groups that can be used to administer permissions for users and other domain objects.
security ID (SID)
A data structure of variable length that uniquely identifies user, group, service, and computer accounts within an enterprise. Every account is issued a SID when the account is first created. Access control mechanisms in Windows 2000 identify security principals by SID rather than by name. See also relative ID; security principal.
security method
A process that determines the Internet Protocol security services, key settings, and algorithms that will be used to protect the data during the communication.
Security Parameters Index (SPI)
A unique, identifying value in the SA used to distinguish among multiple security associations existing at the receiving computer.
security principal
An account-holder, such as a user, computer, or service. Each security principal within a Windows 2000 domain is identified by a unique security ID (SID). When a security principal logs on to a computer running Windows 2000, the Local Security Authority (LSA) authenticates the security principal's account name and password. If the logon is successful, the system creates an access token. Every process executed on behalf of this security principal will have a copy of its access token. See also access token; security ID; security principal name.
security principal name
A name that uniquely identifies a user, group, or computer within a single domain. This name is not guaranteed to be unique across domains. See also security principal.
Security Reference Monitor
A subsystem that is the primary authority for enforcing access control on a computer running Windows 2000 or Windows NT.
security subsystem
See Local Security Authority (LSA).
security template
A physical file representation of a security configuration that can be applied to a local computer or imported to a Group Policy object in Active Directory. When you import a security template to a Group Policy object, Group Policy processes the template and makes the corresponding changes to the members of that Group Policy object, which can be users or computers.
seed router
In the Macintosh environment, a router which initializes and broadcasts routing information about one or more physical networks. This information tells routers where to send each packet of data. On an AppleTalk network, a seed router initially defines the network numbers and zones for a network. Services for Macintosh servers, and third-party hardware routers can function as seed routers.
seek time
The amount of time required for a disk head to position itself at the right disk cylinder to access requested data.
selective acknowledgement (SACK)
A Transmission Control Protocol (TCP) option that allows the receiver to re-request only the missing data from the sender.
A Systems Management Server thread component that uses an existing connectivity system to communicate among sites. A sender manages the connection, ensures the integrity of transferred data, recovers from errors, and closes connections when they are no longer needed.
Sequenced Packet Exchange (SPX)
A transport layer protocol built on top of IPX.
A Windows feature that uses a communications aid interface device to allow keystrokes and mouse controls to be accepted through a computer's serial port.
A computer that provides shared resources to network users.
Server Announcement
A specific datagram generated by computers on Microsoft networks to announce their presence on the network to master browsers.
server cluster
A cluster created and administered by the Cluster service and associated software (.exe and .dll files), between whose nodes the Cluster service provides failover support for applications running on the servers. The server cluster includes the hardware and the cluster configuration as well as the Cluster service. See also cluster; node.
Server Cluster API
The collection of functions that are implemented by the Cluster service and used by cluster-aware applications, cluster management applications, and resource DLLs. The Server Cluster API includes functions for managing server cluster objects and the cluster database.
Server Message Block (SMB)
A file-sharing protocol designed to allow networked computers to transparently access files that reside on remote systems over a variety of networks. The SMB protocol defines a series of commands that pass information between computers. SMB uses four message types: session control, file, printer, and message.
Server service
A software component that provides RPC (remote procedure call) support and file, print, and Named Pipe sharing. See also Named Pipe; remote procedure call (RPC).
A program, routine, or process that performs a specific system function to support other programs, particularly at a low (close to the hardware) level. When services are provided over a network, they can be published in Active Directory, facilitating service-centric administration and usage.
service (SRV) resource record
A resource record used in a zone to register and locate well-known TCP/IP services. The SRV resource record is specified in RFC 2052 and is used in Windows 2000 to locate domain controllers for Active Directory service. See also resource record.
service access point
A logical address that allows a system to route data between a remote device and the appropriate communications support.
service level agreement (SLA)
A contract between your IT group and users that specifies what performance levels are acceptable for services, such as equipment replacement and network downtime.
service name
The name by which a port is known.
service ticket
See session ticket.
In the context of load balancing TCP/IP traffic, a set of client requests directed to a server. These requests can be invoked with multiple, possibly concurrent, TCP connections. The server program sometimes maintains state information between requests. To preserve access to the server state, Network Load Balancing needs to direct all requests within a session to the same cluster host when load balancing. See also client request; server; TCP/IP.
session key
A key used primarily for encryption and decryption. Session keys are typically used with symmetric encryption algorithms where the same key is used for both encryption and decryption. For this reason, session and symmetric keys usually refer to the same type of key. See also symmetric key encryption.
session layer
A network layer that allows two applications on different computers to establish, use, and end a session. This layer establishes dialog control between the two computers in a session, regulating which side transmits, as well as when and how long it transmits.
session ticket
A credential presented by a client to a service in the Kerberos authentication protocol. Because session tickets are used to obtain authenticated connections to services, they are sometimes called service tickets. See also Kerberos authentication protocol; Key Distribution Center (KDC).
A logical connection created between two hosts to exchange data. Typically, sessions use sequencing and acknowledgments to send data reliably.
share name
A name that refers to a shared resource on a server. Each shared folder on a server has a share name used by personal computer users to refer to the folder. Users of Macintosh computers use the name of the Macintosh-accessible volume that corresponds to a folder, which may be the same as the share name. See also Macintosh-accessible volume.
shared nothing
A scalability concept in clusters and SMP systems whereby a workload is partitioned among available hardware resources. These resources are used on the workload independently, without sharing of processors, disks, or other hardware resources.
shared printer
A printer that receives input from more than one computer. For example, a printer attached to another computer on the network can be shared so that it is available for many users. Also called a network printer.
The command interpreter that is used to pass commands to the operating system.
Shiva Password Authentication Protocol (SPAP)
A two-way, reversible encryption mechanism for authenticating PPP connections employed by Shiva remote access servers.
short name
A valid MS-DOS or OS/2 8.3 file name (with up to 8 characters followed by a period and an extension of up to 3 characters) that a computer running Windows 2000 Server creates for every Macintosh folder name or file name on the server. Personal computer users refer to files on the server by their short names; Macintosh users refer to them by their long names. See also name mapping.
shortcut trust
A two-way trust relationship that is explicitly created between two Windows 2000 domains in the same forest. The purpose of a shortcut trust is to optimize the inter-domain authentication process by shortening the trust path. All shortcut trusts are transitive and must be created manually in each direction. See also domain tree; forest; transitive trust relationship.
A global flag that instructs programs to display captions for speech and system sounds to alert users with hearing impairments or people who work in a noisy location such as a factory floor.
silent discard
When a packet is discarded and the sending host is not informed as to why the packet was discarded.
silent RIP
The capability of a computer to listen for and process Routing Information Protocol (RIP) announcements but without announcing its own routes.
Simple Mail Transfer Protocol (SMTP)
A protocol used on the Internet to transfer mail. SMTP is independent of the particular transmission subsystem and requires only a reliable, ordered, data stream channel.
Simple Network Management Protocol (SNMP)
A network management protocol installed with TCP/IP and widely used on TCP/IP and Internet Package Exchange (IPX) networks. SNMP transports management information and commands between a management program run by an administrator and the network management agent running on a host. The SNMP agent sends status information to one or more hosts when the host requests it or when a significant event occurs.
single point of failure
Any component in your environment that would block data or applications if it failed.
single-path routing infrastructure
A routing infrastructure where only a single path exists between any two network segments in the internetwork.
sip-and-puff device
An alternative input device that allows a user to operate a computer by breath control. For users who are unable to use standard input devices, such as a mouse or keyboard.
A location in a network that holds Active Directory servers. A site is defined as one or more well-connected TCP/IP subnets. ("Well-connected" means that network connectivity is highly reliable and fast-for example, LAN speeds of 10 MM bits-per-second or greater) Because computers in the same site are close to each other in network terms, communication among them is reliable, fast, and efficient. Defining a site as a set of subnets allows administrators to configure Active Directory access and replication topology to take advantage of the physical network. When users log on to the network, Active Directory clients find Active Directory servers in the same site as the client. In Systems Management Server, site servers and client computers bounded by a group of subnets, such as an IP subnet or an IPX network number. See also domain controller locator; subnet; replication topology.
site link
An Active Directory object that represents a set of sites that can communicate at uniform cost through some intersite transport. For IP transport, a typical site link connects just two sites and corresponds to an actual WAN link. An IP site link connecting more than two sites might correspond to an ATM backbone connecting more than two clusters of buildings on a large campus, or several offices in a large metropolitan area connected via leased lines and IP routers. See also connection object; site link bridge.
site link bridge
An Active Directory object that represents a set of site links, all of whose sites can communicate via some transport. Typically a site link bridge corresponds to a router (or a set of routers) in an IP network. By default, the Knowledge Consistency Checker may form a route through any and all site links in a transitive manner. If this behavior is turned off, each site link represents its own distinct and isolated network. Sets of site links that can be treated as a single route are expressed through a site link bridge. Each bridge represents an isolated communication environment for network traffic.
site server
A computer running Windows NT Server on which Systems Management Server (SMS) site setup has been run. When SMS is installed on a computer, that computer is assigned the site server role. The site server, which hosts SMS components needed to monitor and manage an SMS site, typically performs several additional SMS roles, including component server, client access point, and distribution point.
A server that does not attempt to resolve queries on its own. Instead, it sends all queries to forwarders. See also forwarder.
slow link processing
A configurable Group Policy processing mode that allows administrators to define which Group Policy settings will not be processed over slow network links.
A Windows feature that instructs the computer to disregard keystrokes that are not held down for a minimum period of time, which allows the user to brush against keys without any effect. See also FilterKeys.
Small Computer System Interface (SCSI)
A standard high-speed parallel interface defined by the X3T9.2 committee of the American National Standards Institute (ANSI). A SCSI interface is used for connecting microcomputers to peripheral devices, such as hard disks and printers, and to other computers and local area networks.
Small Office/Home Office (SOHO)
An office with a few computers that can be considered a small business or part of a larger network.
smart card
A credit card-sized device that is used with a PIN number to enable certificate-based authentication and single sign-on to the enterprise. Smart cards securely store certificates, public and private keys, passwords, and other types of personal information. A smart card reader attached to the computer reads the smart card. See also authentication; certificate; nonrepudiation.
smart-card reader
A device that is installed in computers to enable the use of smart cards for enhanced security features. See also smart card.
See Simple Mail Transfer Protocol.
An application or device that can read, monitor, and capture network data exchanges and read network packets. If the packets are not encrypted, a sniffer provides a full view of the data inside the packet.
See Simple Network Management Protocol.
SNMP Management Console
The interface through which a manager, either a user or a program, performs management activities.
SOA (start of authority) resource record
See start of authority (SOA) resource record.
A bidirectional pipe for incoming and outgoing data between networked computers. The Windows Sockets API is a networking API used by programmers to create TCP/IP-based sockets programs.
soft affinity
A mechanism designed to optimize performance in a multiprocessor environment. Soft affinity favors scheduling threads on the processor in which they recently ran or the ideal processor for the thread. With soft affinity, the efficiency of the processor cache is higher because threads often run on the processor on which they previously ran. Soft affinity does not restrict a thread to run on a given processor.
software inventory
In Systems Management Server, the automated process that SMS uses to gather information about software on client computers.
software metering
In Systems Management Server, the process by which SMS monitors and manages the use of software applications to ensure compliance with software licensing agreements or to understand software usage.
software router
A router that is not dedicated to performing routing but performs routing as one of multiple processes running on the router computer.
software trap
In programming, an event that occurs when a microprocessor detects a problem with executing an instruction, which causes it to stop.
A Windows feature that produces a visual cue, such as a screen flash or a blinking title bar instead of system sounds.
source routing
The practice of specifying the list of networks or routers in the network layer header to forward a packet along a specific path in an internetwork.
sparse file
A file that is handled in a way that requires less disk space than would otherwise be needed by allocating only meaningful non-zero data. Sparse support allows an application to create very large files without committing disk space for every byte.
speech synthesizer
An assistive device that produces spoken words, either by splicing together prerecorded words or by programming the computer to produce the sounds that make up spoken words.
split horizon
A route-advertising algorithm that prevents the advertising of routes in the same direction in which they were learned. Split horizon helps prevent routing loops. See also poison reverse.
A process on a server in which print documents are stored on a disk until a printer is ready to process them. A spooler accepts each document from each client, stores it, and sends it to a printer when the printer is ready.
SRV (service) resource record
See service (SRV) resource record.
stand-alone certification authority
A Windows 2000 certification authority that is not integrated with Active Directory. See also certification authority; enterprise certification authority.
stand-alone Dfs
Implementation of Dfs that stores its configuration in the local registry. It is intended for backward compatibility with previous versions of Dfs. A stand-alone Dfs root has the following characteristics: it does not use Active Directory (or FRS file replication) and it cannot have replicas at the root level.
stand-alone server
A computer that runs Windows 2000 Server but does not participate in a domain. A stand-alone server has only its own database of users, and it processes logon requests by itself. It does not share account information with any other computer and cannot provide access to domain accounts. See also member server; domain controller; global group; local group.
standard error (STDERR)
In UNIX, the defined receiver of error messages about a process. By default, the standard error goes to the terminal.
standard input (STDIN)
In UNIX, the defined source of input for a process. By default, standard input comes from the terminal.
standard output (STDOUT)
In UNIX, the defined receiver for output from a process. By default, the standard output goes to the terminal.
Standard TCP/IP Port Monitor
A port monitor that connects a Windows 2000 print server to network-interface printers that use the TCP/IP protocol. It replaces LPRMON for TCP/IP printers connected directly to the network through a network adapter. Printers connected to a UNIX or VAX host that requires RFC 1179 compliance may still require LPRMON on the print server.
start of authority (SOA) resource record
A record that indicates the starting point or original point of authority for information stored in a zone. The SOA resource record (RR) is the first RR created when adding a new zone. It also contains several parameters used by others to determine how long other DNS servers will use information for the zone and how often updates are required. See also authoritative; zone.
As related to servers, not involving the update of a server-side database based on a client request. As related to the handling of files, the content of the file is not modified or noticed. For Web servers, a stateless client request, which members of a Network Load Balancing cluster can process, is one that returns a static Web page to the client.
static router
A router with manually configured routing tables. A network administrator, with knowledge of the internetwork topology, manually builds and updates the routing table, programming all routes in the routing table. Static routers can work well for small internetworks but do not scale well to large or dynamically changing internetworks due to their manual administration.
static routing
Routing limited to fixed routing tables, as opposed to dynamically updated routing tables. See also dynamic routing; routing; routing table.
static services
An IPX service that is permanently stored in a SAP table. Static services are advertised using normal SAP processes. Static SAP services are typically used to define the services that are available across a demand-dial connection.
status area
The area on the taskbar to the right of the taskbar buttons. The status area displays the time and can also contain icons that provide quick access to programs, such as Volume Control and Power Options. Other icons can appear temporarily, providing information about the status of activities. For example, the printer icon appears after a document has been sent to the printer and disappears when printing is complete.
An accessibility feature built into Windows that causes modifier keys such as SHIFT, CTRL, WINDOWS LOGO, or ALT to stay on after they are pressed, eliminating the need to press multiple keys simultaneously. This feature facilitates the use of modifier keys for users who are unable to hold down one key while pressing another.
Stop error
A serious error that affects the operating system and that could place data at risk. The operating system generates an obvious message, a screen with the Stop message, rather than continuing on and possibly corrupting data. Also known as a fatal system error. See also Stop message.
Stop message
A character-based, full-screen error message displayed on a blue background. A Stop message indicates that the Windows 2000 kernel detected a condition from which it cannot recover. Each message is uniquely identified by a Stop error code (a hexadecimal number) and a string indicating the error's symbolic name. Stop messages are usually followed by up to four additional hexadecimal numbers, enclosed in parentheses, which identify developer-defined error parameters. A driver or device may be identified as the cause of the error. A series of troubleshooting tips are also displayed, along with an indication that, if the system was configured to do so, a memory dump file was saved for later use by a kernel debugger. See also Stop error.
storage hierarchy
A directed cyclic graph of linked storage pools.
storage pool
A unit of storage administered by Removable Storage and composed of homogenous storage media. A storage pool is a self-contained storage area with homogenous characteristics (for example, random access, sequential access, read/write, and write-once).
storage-class resource
A required dependency for many resource types: a resource that manages a disk in the cluster that can be accessed using a drive letter. Windows 2000 Advanced Server provides one storage-class resource: Physical Disk. However, vendors or resellers may supply other storage-class resource types. See also resource type.
store-and-forward replication
A replication model, used by Active Directory, in which changes are not sent directly from one domain controller to all other domain controllers. Instead, a system of replication partners is created automatically by the system, taking advantage of the existing connections. Replication through neighboring systems is also called transitive replication. See also Active Directory replication; multimaster replication.
A sequence of bits, bytes, or other small structurally uniform units.
Stream Input/Output (Stream I/O)
A protocol that provides access to IBM host data one file at a time, as opposed to one record at a time, such as with Structured Query Language (SQL).
stream socket
A socket using the Windows Sockets API that provides a two-way, reliable, sequenced, and unduplicated flow of data.
streaming media servers
Software (such as Microsoft Media Technologies) that provides multimedia support, allowing you to deliver content by using Advanced Streaming Format over an intranet or the Internet.
stripe set
The saving of data across identical partitions on different drives. A stripe set does not provide fault tolerance; however, stripe sets with parity do provide fault tolerance. See also fault tolerance; partition; stripe set with parity; volume set.
stripe set with parity
A method of data protection in which data is striped in large blocks across all the disks in an array. Data redundancy is provided by the parity information. This method provides fault tolerance. See also stripe set, fault tolerance.
striped volume
A volume that stores data in stripes on two or more physical disks. Data in a striped volume is allocated alternately and evenly (in stripes) to these disks. Striped volumes offer the best performance of all volumes available in Windows 2000, but they do not provide fault tolerance. If a disk in a striped volume fails, the data in the entire volume is lost. You can create striped volumes only on dynamic disks. Striped volumes cannot be mirrored or extended. In Windows NT 4.0, a striped volume was known as a stripe set. See also dynamic disk, dynamic volume, fault tolerance, volume.
structural classes
The only classes that can have instances in the directory. That is, you can create directory objects whose class is one of the structural classes.
structured query language (SQL)
A widely accepted standard database sublanguage used in querying, updating, and managing relational databases.
stub area
An OSPF area that does not advertise individual external networks. Routing to all external networks in a stub area is done through a default route (destination with the network mask of
An area composed of one subarea node (a type 5 host node or a type 4 node [a Front End Processor]) and the resources it controls, including type 2 nodes.
A classSchema object that inherits from some other classSchema object. For example, a subclass inherits structure and content rules from the parent object.
The class from which this object inherits attributes. For structural classes, the subClassOf can be a structural or abstract class. For abstract classes, the subClassOf can only be an abstract class. For auxiliary classes, the subClassOf can be an abstract or auxiliary class.
The value is the lDAPDisplayName of a class. You must ensure that the class exists or will exist when the new class is written to the directory. If class does not exist, the classSchema object will fail to be added to the directory.
A DNS domain located directly beneath another domain name (the parent domain) in the namespace tree. For example, "eu.reskit.com" is a subdomain of the domain "reskit.com."
An entity acting on an object. For example, when a thread of execution opens a file, the thread is a subject and the file is the object of its action. See also object; thread.
In the registry, a key within a key. Subkeys are analogous to subdirectories in the registry hierarchy. Keys and subkeys are similar to the section header in .ini files; however, subkeys can carry out functions. See also key.
A subdivision of an IP network. Each subnet has its own unique subnetted network ID.
subnet mask
A 32-bit value expressed as four decimal numbers from 0 to 255, separated by periods (for example, This number allows TCP/IP to determine the network ID portion of an IP address.
subnetted network ID
A network ID for a subnetted network segment that is the result of a subdivision of a TCP/IP network ID.
subnetted reverse lookup zone
A reverse lookup zone authoritative for only a portion of a Class C network address. Subnetted reverse lookup zones are not required even if a network is subnetted; they are merely an administrative choice. See also reverse lookup zone.
The act of subdividing the address space of a TCP/IP network ID into smaller network segments, each with its own subnetted network ID.
subordinate reference
In Active Directory, knowledge of a partition or partitions directly below a partition held by a domain controller.
subordinate referral
In an LDAP search, information about a directory location that is returned by a subtree search. If a subtree search has a search base that includes child directory partitions, the domain controller uses subordinate references to return a subordinate referral to a domain controller that stores the requested partition.
subtree search
See search scope.
The class from which a subclass derives all mandatory and optional attributes in addition to those specific to the class itself.
superior reference
In Active Directory, knowledge about a referral location that is used when the domain controller has no knowledge of the search base.
The practice of expressing a range of IP network IDs using a single IP network ID and subnet mask. Supernettting is a route aggregation and summarization technique.
An administrative grouping of scopes that can be used to support multiple, logical IP subnets on the same physical subnet. Superscopes contain a list of member scopes, or child scopes, that can be activated as a collection.
A computer or other network-enabled device that controls routing and operation of a signal path. In clustering, a switch is used to connect the cluster hosts to a router or other source of incoming network connections. See also routing.
switched virtual circuit (SVC)
A connection established dynamically between devices on an ATM network through the use of signaling.
symmetric interrupt distribution
A mechanism for distributing interrupts across available processors.
symmetric key
A single key that is used with symmetric encryption algorithms for both encryption and decryption. See also bulk encryption; encryption; decryption; session key.
symmetric key encryption
An encryption algorithm that requires the same secret key to be used for both encryption and decryption. This is often called secret key encryption. Because of its speed, symmetric encryption is typically used rather than public key encryption when a message sender needs to encrypt large amounts of data.
symmetric multiprocessing (SMP)
A computer architecture in which multiple processors share the same memory, which contains one copy of the operating system, one copy of any applications that are in use, and one copy of the data. Because the operating system divides the workload into tasks and assigns those tasks to whatever processors are available, SMP reduces transaction time.
symmetric-key algorithm
A symmetric cipher that uses the same key for encryption and decryption. See also symmetric key encryption; symmetric key; public key algorithm.
symmetric-key cryptography
A type of cryptography that uses symmetric keys to provide confidentiality. See also cryptography; symmetric-key encryption; symmetric-key algorithm.
Synchronization Manager
In Windows 2000, the tool used to ensure that a file or directory on a client computer contains the same data as a matching file or directory on a server.
Synchronized Accessible Media Interchange (SAMI)
A format optimized for creating captions and audio descriptions in a single document.
synchronous processing
The default Group Policy processing mode in Windows 2000. In this default mode users cannot log on until all computer Group Policy objects have been processed and cannot begin working on their computers until all user Group Policy objects have been processed.
A process that executes through an optional parameter of Winnt32.exe. Used for clean installations to computers that have dissimilar hardware. This automated installation method reduces deployment time by eliminating the file-copy phase of Setup. See automated installation.
A tool that prepares the hard disk on a source computer for duplication to target computers and then runs a third-party disk-imaging process. This automated installation method is used when the hard disk on the master computer is identical to those of the target computers. See automated installation.
system access control list (SACL)
The part of an object's security descriptor that specifies which events are to be audited per user or group. Examples of auditing events are file access, logon attempts, and system shutdowns. See also access control entry (ACE); discretionary access control list (DACL); object; security descriptor.
system call
A routine that makes the operating system available to a program or that requests services from the operating system.
system files
Files that are used by Windows to load, configure, and run the operating system. Generally, system files must never be deleted or moved.
System Key (SysKey)
A tool provided with Windows 2000 to protect all symmetric cryptographic keys in a domain or organizational unit by encrypting them with a 128-bit random key.
System Monitor
A tool that supports detailed monitoring of the use of operating system resources. System Monitor is hosted, along with Performance Logs and Alerts, in the Performance console. The functionality of System Monitor is based on Windows NT Performance Monitor, not Windows 98 System Monitor.
system policy
In network administration, the part of Group Policy that is concerned with the current user and local computer settings in the registry. In Windows 2000, system policy is sometimes called software policy and is one of several services provided by Group Policy, a Microsoft Management Console (MMC) snap-in. The Windows NT 4.0 System Policy Editor, Poledit.exe, is included with Windows 2000 for backward compatibility. That is, administrators need it to set system policy on Windows NT 4.0 and Windows 95 computers. See also Microsoft Management Console (MMC); registry.
System State
A collection of system-specific data that can be backed up and restored. For all Windows 2000 operating systems, the System State data includes the registry, the class registration database, and the system boot files. For Windows 2000 Server, the system state data also includes the Certificate Services database (if the server is operating as a certificate server). If the server is a domain controller, the system state data also includes Active Directory and the Sysvol directory. See also Active Directory; domain controller; Sysvol.
system-Only attributes
Attributes on which Windows 2000 and Active Directory depend for normal operations.
A multivalued property that specifies the auxiliary classes from which a class inherits. After creation of the class, this property cannot be changed.
Each value is the lDAPDisplayName of a class. You must ensure that the classes exist, or will exist, when the new class is written to the directory. If one of the classes does not exist, the classSchema object will fail to be added to the directory.
The full set of auxiliary classes that this class inherits from is the union of the systemAuxiliaryClass and auxiliaryClass on this class as well as the systemAuxiliaryClass and auxiliaryClass properties of all inherited classes.
A multi-valued property that specifies the attributes that may be present on instances of this class. These are optional attributes that are not mandatory and, therefore, may or may not be present on an instance of this class. After creation of the class, this property cannot be changed.
Each value is the lDAPDisplayName of an attribute. You must ensure that the attributes exist or will exist when the new class is written to the directory. If one of the attributes does not exist, the classSchema object will fail to be added to the directory.
The full set of optional attributes for this class is the union of the systemMayContain and mayContain on this class as well as the systemMayContain and mayContain properties of all inherited classes.
A multivalued property that specifies the attributes that must be present on instances of this class. These are mandatory attributes that must be present during creation and cannot be cleared after creation. After creation of the class, this property cannot be changed.
Each value is the lDAPDisplayName of an attribute. You must ensure that the attributes exist or will exist when the new class is written to the directory. If one of the attributes does not exist, the classSchema object will fail to be added to the directory.
The full set of mandatory attributes for this class is the union of the systemMustContain and mustContain on this class as well as the systemMustContain and mustContain properties of all inherited classes.
A multivalued property that specifies the structural classes that can be legal parents of instances of this class. After creation of the class, this property cannot be changed.
Each value is the lDAPDisplayName of a class. You must ensure that the classes exist or will exist when the new class is written to the directory. If one of the classes does not exist, the classSchema object will fail to be added to the directory.
The full set of possible superiors is the union of the systemPossSuperiors and possSuperiors on this class as well as the systemPossSuperiors and possSuperiors properties of all inherited superclasses (structural or abstract classes). Note that possSuperiors are not inherited from auxiliary classes.
The path and folder name where the Windows 2000 system files are located. Typically, this is C:\Winnt, although a different drive or folder can be designated when Windows 2000 is installed. The value %systemroot% can be used to replace the actual location of the folder that contains the Windows 2000 system files. To identify your systemroot folder, click Start, click Run, and then type %systemroot%.
Systems Management Server
A part of the Windows BackOffice suite of products. Systems Management Server (SMS) includes inventory collection, deployment, and diagnostic tools. SMS can significantly automate the task of upgrading software, allow remote problem solving, provide asset management information, manage software licenses, and monitor computers and networks.
Systems Network Architecture (SNA)
A communications framework developed by IBM to define network functions and establish standards for enabling computers to share and process data.
A shared directory that stores the server's copy of the domain's public files, which are replicated among all domain controllers in the domain. See also domain controller.



A wide-area carrier that transmits data at 1.544 Mbps. A T1 line is also known as DS-1 line.
A wide-area carrier that transmits data at 44.736 Mbps. A T3 line is also known as a DS-3 line.
Task Offload
A process that allows tasks normally performed by the transport layer to be processed by the network adapter. This reduces the overhead required of the system CPU for these tasks, thus increasing the throughput.
The bar that contains the Start button and appears by default at the bottom of the desktop. You can use the taskbar buttons to switch between the programs you are running. The taskbar can be hidden, moved to the sides or top of the desktop, or customized in other ways. See also desktop; taskbar button; status area.
taskbar button
A button that appears on the taskbar when an application is running. See also taskbar.
Transmission Control Protocol.
TCP connection
The logical connection that exists between two processes that are using TCP to exchange data.
TCP segment
The quantity consisting of the TCP header and its associated data. TCP segments are exchanged using a TCP connection.
TCP timestamps
The TCP option used to record the time a TCP segment was sent and a time the segment was acknowledged by the receiver.
TCP Window Scaling
The use of TCP options to create a TCP receive window size greater than 65,535 bytes. The use of TCP window scaling can improve TCP throughput in large bandwidth, high-delay environments.
See Transmission Control Protocol/Internet Protocol.
TCP/IP filtering
A feature of Windows 2000 TCP/IP that allows you to specify exactly which types of incoming non-transit IP traffic are processed for each IP interface.
Telephony API (TAPI)
An application programming interface (API) used by communications programs to communicate with telephony and network services. See also Internet Protocol.
A terminal-emulation protocol that is widely used on the Internet to log on to network computers. Telnet also refers to the application that uses the Telnet protocol for users who log on from remote locations.
Telnet 3270 (TN3270)
Terminal emulation software, similar to Telnet, that allows a personal computer to log on to an IBM mainframe over a TCP/IP network.
Telnet 5250 (TN5250)
Terminal emulation software, similar to Telnet, that allows a personal computer to log on to an IBM AS/400 host system over a TCP/IP network.
A device consisting of a display screen and a keyboard that is used to communicate with a computer.
text mode
The portion of Setup that uses a text-based interface.
thin client
A network computer that does not have a hard disk.
A type of object within a process that runs program instructions. Using multiple threads allows concurrent operations within a process and enables one process to run different parts of its program on different processors simultaneously. A thread has its own set of registers, its own kernel stack, a thread environment block, and a user stack in the address space of its process.
thread state
A numeric value indicating the execution state of the thread. Numbered 0 through 5, the states seen most often are 1 for ready, 2 for running, and 5 for waiting.
three-way handshake
The series of three TCP segments that are exchanged when a TCP connection is established.
For disks, the transfer capacity of the disk system.
Tick Count
An estimate of the amount of time it takes an IPX packet to reach the destination network.
ticket-granting ticket
A credential issued to a user by the Key Distribution Center (KDC) when the user logs on. The user must present the TGT to the KDC when requesting session tickets for services. Because a TGT is normally valid for the life of the user's logon session, it is sometimes called a user ticket. See also Kerberos authentication protocol; Key Distribution Center; session ticket.
Time Service
A server cluster resource that maintains consistent time across all nodes.
Time To Live (TTL)
A timer value included in packets sent over TCP/IP-based networks that tells the recipients how long to hold or use the packet or any of its included data before expiring and discarding the packet or data. For DNS, TTL values are used in resource records within a zone to determine how long requesting clients should cache and use this information when it appears in a query response answered by a DNS server for the zone.
A Windows feature that beeps when one of the locking keys (CAPS LOCK, NUM LOCK, or SCROLL LOCK) is turned on or off.
Token Ring
A type of network media that connects clients in a closed ring and uses token passing to allow clients to use the network. See also Fiber Distributed Data Interface (FDDI).
In Active Directory, an object that is removed from the directory but not yet deleted.
tombstone lifetime
The length of time that an object lives as a tombstone in the directory before being collected as garbage.
top-level domains
Domain names that are rooted hierarchically at the first tier of the domain namespace, directly beneath the root (.) of the DNS namespace. On the Internet, top-level domain names such as ".com" and ".org" are used to classify and assign second-level domain names (such as "microsoft.com") to individual organizations and businesses according to their organizational purpose. See also second-level domains.
In Windows operating systems, the relationships among a set of network components. In the context of Active Directory replication, topology refers to the set of connections that domain controllers use to replicate information among themselves. See also domain controller; replication.
total instance
A unique instance that contains the performance counters that represent the sum of all active instances of an object.
totally stubby area
An OSPF area that does not advertise individual external networks or OSPF inter-area routes. A router's routing table within a totally stubby area contains intra-area routes and a default route (destination with the network mask of The default route summarizes all inter-area routes and all external routes.
A capability of components of the Windows 2000 Routing and Remote Access service that records internal component variables, function calls, and interactions. You can use tracing to troubleshoot complex network problems.
Traffic Control
A Windows 2000 mechanism that creates and regulates data flows with defined QoS parameters. The Traffic Control API (TC API) creates filters to direct selected packets through this flow. Traffic control is invoked by the QoS API and subsequently serviced by the RSVP SP.
Transaction Program Monitor
A monitor that manages the operating environment of the online transaction processing (OLTP) application by optimizing the use of operating system resources and the network. The TP Monitor provides a management platform for the system administrator that supports: load balancing, fault tolerance, performance monitoring, and security.
A custom script created to customize the behavior of an installation by directly modifying the setup script and without repacking the application.
transit internetwork
The shared or public internetwork crossed by the encapsulated data.
transitive trust relationship
The trust relationship that inherently exists between Windows 2000 domains in a domain tree or forest, or between trees in a forest, or between forests. When a domain joins an existing forest or domain tree, a transitive trust is automatically established. In Windows 2000 transitive trusts are always two-way relationships. See also domain tree; forest; nontransitive trust relationship.
Transmission Control Protocol/Internet Protocol (TCP/IP)
A set of software networking protocols widely used on the Internet that provide communications across interconnected networks of computers with diverse hardware architectures and operating systems. TCP/IP includes standards for how computers communicate and conventions for connecting networks and routing traffic.
Transport Driver Interface (TDI)
In the Windows NT and Windows 2000 networking model, a common interface for network layer components. The TDI is not a single program, but a protocol specification to which the upper bounds of transport protocol device drivers are written. It allows software components above and below the transport layer to be mixed and matched without reprogramming.
transport layer
The network layer that handles error recognition and recovery. When necessary, it repackages long messages into small packets for transmission and, at the receiving end, rebuilds packets into the original message. The receiving transport layer also sends receipt acknowledgments.
Transport Layer Security (TLS)
A standard protocol that is used to provide secure Web communications on the Internet or intranets. It enables clients to authenticate servers or, optionally, servers to authenticate clients. It also provides a secure channel by encrypting communications for confidentiality.
transport protocol
A protocol that defines how data should be presented to the next receiving layer in the Windows NT and Windows 2000 networking model and packages the data accordingly. The transport protocol passes data to the network adapter driver through the network driver interface specification (NDIS) interface and to the redirector through the Transport Driver Interface (TDI).
In Simple Network Management Protocol (SNMP), a message sent by an agent to a management system indicating that an event has occurred on the host running the agent. See also agent; authentication; Internet Protocol; Simple Network Management Protocol (SNMP).
trap destination
The management system that receives an SNMP trap message.
Trap message
An SNMP alarm message.
tree-root trust relationship
The trust relationship that is established when you add a new tree to an Active Directory forest. Active Directory installation process automatically creates a transitive trust relationship between the domain you are creating (the new tree root) and the forest root.
For Network Monitor data captures, a set of conditions defined by a user that, when met, initiate an action such as stopping a capture or executing a program or command file.
triggered update
A route advertising algorithm that advertises changes in the network topology as they occur, rather than waiting for the next scheduled periodic advertisement.
Trivial File Transfer Protocol (TFTP)
A protocol that is used by an IntelliMirror server to download the initial files needed to begin the boot or installation process.
TrueType fonts
Fonts that are scalable and sometimes generated as bitmaps or soft fonts, depending on the capabilities of your printer. TrueType fonts are device-independent fonts that are stored as outlines. They can be sized to any height, and they can be printed exactly as they appear on the screen. See also font.
To remove files that are in remote storage from local storage, reclaiming space in local storage. When a premigrated file is truncated it is converted to a remote storage identifier or placeholder.
trust path
A series of trust links from one domain to another domain for passing authentication requests.
trust relationship
A logical relationship established between domains that allows pass-through authentication in which a trusting domain honors the logon authentications of a trusted domain. User accounts and global groups defined in a trusted domain can be granted rights and permissions in a trusting domain, even though the user accounts or groups do not exist in the trusting domain's directory. See also authentication; domain; two-way trust relationship.
trusted forest
A forest that is connected to another forest by explicit or transitive trust. See also explicit trust relationship; forest; transitive trust relationship.
See Time To Live.
The logical path by which the encapsulated packets travel through the transit internetwork.
tunneled data
Data that is sent through the tunneled, or encapsulated, portion of the connection.
A method of using an internetwork infrastructure of one protocol to transfer a payload (the frames or packets) of another protocol.
tunneling protocol
A communication standard used to manage tunnels and encapsulate private data. Data that is tunneled must also be encrypted to be a VPN connection. Windows 2000 includes the Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP).
two-way initiated connection
A demand-dial connection where either router can be the answering router or the calling router depending on who is initiating the connection. Both routers must be configured to initiate and accept a demand-dial connection. You use two-way initiated connections when traffic from either router can create the demand-dial connection.
two-way trust relationship
A link between domains in which each domain trusts user accounts in the other domain to use its resources. Users can log on from computers in either domain to the domain that contains their account. See also trust relationship.



See User Datagram Protocol.
unallocated space
Available disk space that is not allocated to any partition, logical drive, or volume. The type of object created on unallocated space depends on the disk type (basic or dynamic). For basic disks, unallocated space outside partitions can be used to create primary or extended partitions. Free space inside an extended partition can be used to create a logical drive. For dynamic disks, unallocated space can be used to create dynamic volumes. Unlike basic disks, the exact disk region used is not selected to create the volume. See also basic disk; dynamic disk; extended partition; logical drive; partition; primary partition; volume.
Unattended Setup
An automated, hands-free method of installing Windows 2000. During installation, Unattended Setup uses an answer file to supply data to Setup instead of requiring that an administrator interactively provide the answers.
See Universal Naming Convention.
UNC name
A full Windows 2000 name of a resource on a network. It conforms to the \\servername\sharename syntax, where servername is the server's name and sharename is the name of the shared resource. UNC names of directories or files can also include the directory path under the share name, with the following syntax: \\servername\sharename\directory\filename. UNC is also called Universal Naming Convention.
An address that identifies a specific, globally unique host.
unicast listening mode
A listening mode where the only frames that are considered for further processing are in a table of interesting destination media access control addresses on the network adapter. Typically, the only interesting addresses are the broadcast address (0xFF-FF-FF-FF-FF-FF) and the unicast address, (also known as the media access control address), of the adapter.
A fixed-width, 16-bit character-encoding standard capable of representing the letters and characters of the majority of the world's languages. Unicode was developed by a consortium of U.S. computer companies.
Uniform Resource Locator (URL)
An address that uniquely identifies a location on the Internet. A URL for a World Wide Web site is preceded with http://, as in the fictitious URL http://www.example.microsoft.com/. A URL can contain more detail, such as the name of a page of hypertext, usually identified by the file name extension .html or .htm. See also HTML; HTTP; IP address.
uninterruptible power supply (UPS)
A device connected between a computer and a power source to ensure that electrical flow is not interrupted. UPS devices use batteries to keep the computer running for a period of time after a power failure. UPS devices usually provide protection against power surges and brownouts as well.
universal group
A Windows 2000 group only available in native mode that is valid anywhere in the forest. A universal group appears in the Global Catalog but contains primarily global groups from domains in the forest. This is the simplest form of group and can contain other universal groups, global groups, and users from anywhere in the forest. See also domain local group; forest; Global Catalog.
Universal Naming Convention (UNC)
A convention for naming files and other resources beginning with two backslashes (\), indicating that the resource exists on a network computer. UNC names conform to the \\SERVERNAME\SHARENAME syntax, where SERVERNAME is the server's name and SHARENAME is the name of the shared resource. The UNC name of a directory or file can also include the directory path after the share name, with the following syntax: \\SERVERNAME\SHARENAME\DIRECTORY\FILENAME.
Universal Serial Bus (USB)
A serial bus with a bandwidth of 1.5 megabits per second (Mbps) for connecting peripherals to a microcomputer. USB can connect up to 127 peripherals, such as external CD-ROM drives, printers, modems, mice, and keyboards, to the system through a single, general-purpose port. This is accomplished by daisy chaining peripherals together. USB supports hot plugging and multiple data streams.
A powerful, multiuser, multitasking operating system initially developed at AT&T Bell Laboratories in 1969 for use on minicomputers. UNIX is considered more portable-that is, less computer-specific-than other operating systems because it is written in C language. Newer versions of UNIX have been developed at the University of California at Berkeley and by AT&T.
unnamed data attribute
The default data stream of an NTFS file, sometimes referred to as $DATA.
unprepared state
A state that indicates a side of a medium that is not claimed or used by any application, but which does not have a free label on it. Applications cannot allocate unprepared media. This is a temporary state.
unrecognized media pool
A repository of blank media and media that are not recognized by Removable Storage.
unrecognized state
A state that indicates that the label types and label IDs of a medium are not recognized by Removable Storage.
up-to-dateness vector
In Active Directory replication, a value that the source domain controller uses to reduce the set of objects and attributes that it sends to the destination domain controller. The up-to-dateness vector is provided to the source domain controller by the destination domain controller and indicates the highest update sequence number (USN) of originating write that has been received for the relevant directory partition from the source domain controller.
update sequence number (USN)
In Active Directory replication, a 64-bit counter that is maintained by each Active Directory domain controller. At the start of each update transaction (originating or replicated) on a domain controller, the domain controller increments its current USN and associates this new value with the update request.
user account
A record that consists of all the information that defines a user to Windows 2000. This includes the user name and password required for the user to log on, the groups in which the user account has membership, and the rights and permissions the user has for using the computer and network and accessing their resources. For Windows 2000 Professional and member servers, user accounts are managed by using Local Users and Groups. For Windows 2000 Server domain controllers, user accounts are managed by using Microsoft Active Directory Users and Computers. See also domain controller; group; user name.
user account objects
Objects used to identify a specific user account in Windows NT Server 4.0 or Windows 2000 Server.
User Datagram Protocol (UDP)
A TCP/IP component that offers a connectionless datagram service that guarantees neither delivery nor correct sequencing of delivered packets.
user mode
The processing mode in which applications run.
user name
A unique name identifying a user account to Windows 2000. An account's user name must be unique among the other group names and user names within its own domain or workgroup.
user network interface (UNI)
The interface between ATM users or end stations and an ATM switch or network. The UNI interface is defined in the ATM Forum UNI documents.
user password
The password stored in each user's account. Each user generally has a unique user password and must type that password when logging on or accessing a server.
user profile
A file which contains configuration information for a specific user, such as desktop settings, persistent network connections, and application settings. Each user's preferences are saved to a user profile that Windows NT and Windows 2000 use to configure the desktop each time a user logs on.
user rights
Tasks a user is permitted to perform on a computer system or domain. There are two types of user rights: privileges and logon rights. An example of a privilege is the right to shut down the system. An example of a logon right is the right to log on to a computer locally (at the keyboard). Both types are assigned by administrators to individual users or groups as part of the security settings for the computer. See also permission; privilege.
user ticket
See ticket-granting ticket.
A special group that contains all users who have user permissions on the server. When a Macintosh user assigns permissions to everyone, those permissions are given to the groups' users and guests. See also everyone category; guest.
Utility Manager
A function of Windows 2000 that allows administrators to review the status of applications and tools and to customize features and add tools more easily.



value bar
The area of the System Monitor graph or histogram display that shows last, average, minimum and maximum statistics for the selected counter.
variable bit rate (VBR)
An ATM service type that guarantees service based on average and peak traffic rates. VBR is used for traffic that requires little or no cell loss. It transmits data in spurts, or bursts, rather than in a continuous stream.
variable length subnet masks (VLSM)
Subnet masks used to produce subnets of an IP network ID of different sizes.
variable length subnetting
The practice of subdividing the address space of an IP network ID into subnets of different sizes.
version ID
A counter used to determine which WINS database entries must be updated during replication. See also replication.
virtual channel identifier (VCI)
A section of the ATM cell header that contains the virtual channel address over which the cell is to be routed.
Virtual Circuit (VC)
A point-to-point connection for the transmission of data. This allows greater control of call attributes, such as bandwidth, latency, delay variation, and sequencing.
virtual link
A logical link between a backbone area border router and an area border router that is not connected to the backbone.
virtual memory
The space on the hard disk that Windows 2000 uses as memory. Because of virtual memory, the amount of memory taken from the perspective of a process can be much greater than the actual physical memory in the computer. The operating system does this in a way that is transparent to the application, by paging data that does not fit in physical memory to and from the disk at any given instant.
virtual network
A logical network that exists inside Novell NetWare and NetWare-compatible servers and routers but is not associated with a physical adapter. The virtual network appears to a user as a separate network. On a computer running Windows 2000 Server, programs advertise their location on a virtual network, not a physical network. The internal network number identifies a virtual network inside a computer. See also internal network number; external network number.
virtual path identifier (VPI)
A section of the ATM cell header that contains the virtual path address over which the cell is to be routed.
virtual private network (VPN)
The extension of a private network that encompasses links across shared or public networks, such as the Internet.
virtual private network connection
A link in which private data is encapsulated and encrypted.
virtual private networking
The act of configuring and creating a virtual private network.
virtual server
In a server cluster, a set of resources, including a Network Name resource and an IP address resource, that is contained by a resource group. To clients, a virtual server presents the appearance of a system that is running Windows NT Server or Windows 2000 Server.
voice input utility
A type of speech recognition program that allows users with disabilities to control the computer with their voice instead of a mouse or keyboard.
A portion of a physical disk that functions as though it were a physically separate disk. In My Computer and Windows Explorer, volumes appear as local disks, such as drive C or drive D.
volume decommission
A process that occurs when a managed volume is no longer accessible. The data in remote storage is no longer associated with a placeholder or a premigrated file. This space is available for space reclamation.
volume mount points
New system objects in the version of NTFS included with Windows 2000 that represent storage volumes in a persistent, robust manner. Volume mount points allow the operating system to graft the root of a volume onto a directory.
volume set
A combination of partitions on a physical disk that appears as one logical drive. See also fault tolerance; stripe set.
See virtual private network.
VPN client
A computer that initiates a VPN connection to a VPN server. A VPN client can be an individual computer that obtains a remote access VPN connection or a router that obtains a router-to-router VPN connection.
VPN connection
The portion of the connection in which your data is encrypted.
VPN server
A computer that accepts VPN connections from VPN clients. A VPN server can provide a remote access VPN connection or a router-to-router VPN connection.



A feature that controls shut down and wake-up based on network events such as lack of network activity or disconnection.
See wide area network.
Web farm
A Network Load Balancing cluster of IIS servers that support client Web site requests.
Web server
A server that provides the ability to develop COM-based applications and to create large sites for the Internet and corporate intranets.
Well-Known Ports
Ports in the range from 0 - 1023.
wide area network (WAN)
A communications network connecting geographically separated computers, printers, and other devices. A WAN allows any connected device to interact with any other on the network. See also local area network (LAN).
In DNS, a character that can be substituted for another character during a query.
Windows 2000 MultiLanguage Version
A version of Windows 2000 that extends the native language support in Windows 2000 by allowing user interface languages to be changed on a per user basis. This version also minimizes the number of language versions you need to deploy across the network.
Windows 2000 Redirector
A software component that intercepts network requests and redirects them to network servers, workstations, printers and directory shares.
Windows 2000 Setup
The program that installs Windows 2000. Also known as Setup, Winnt32.exe, and Winnt.exe.
Windows Driver Model (WDM)
A specification for I/O device drivers that supports both Windows 2000 and Windows 98. WDM is based on a class/miniport driver architecture that is modular and extensible. WDM easier for hardware vendors to support hardware devices.
Windows Installer (.msi files)
An operating system service that allows the operating system to manage the installation process. Windows Installer technologies are divided into two parts that work in combination: a client-side installer service (MSIEXEC.EXE) and a package file (.msi file). Windows Installer uses the information contained within a package file to install the application.
Windows Internet Name Service (WINS)
A software service that dynamically maps IP addresses to computer names (NetBIOS names). This allows users to access resources by name instead of requiring them to use IP addresses that are difficult to recognize and remember. WINS servers support clients running Windows NT 4.0 and earlier versions of Windows operating systems. See also Domain Name System (DNS).
Windows Management Instrumentation
Microsoft technology used to extend the Desktop Management Task Force (DMTF) Web-Based Enterprise Management (WBEM) initiative by representing physical and logical objects that exist in Windows management environments in a consistent and unified manner. WMI is designed to simplify the development of well-integrated management applications, allowing vendors to provide highly efficient, scalable management solutions for enterprise environments.
Windows NT 4.0-compatible Locator
See domain controller locator.
Windows Sockets (Winsock)
An industry-standard application programming interface (API) used on the Microsoft Windows operating system that provides a two-way, reliable, sequenced, and unduplicated flow of data.
Windows-based terminal
A terminal that uses a Windows operating system.
WinInstall LE
A repackaging tool that comes with Windows 2000 Server.
See Windows Internet Name Service.
WINS database
The database used to register and resolve computer names to IP addresses on Windows-based networks. The contents of this database are replicated at regular intervals throughout the network. See also push partner, pull partner, replication.
WINS lookup
A process by which a DNS server queries WINS to resolve names it does not find in its authoritative zones.
WINS proxy
A computer that listens to name query broadcasts and responds for those names not on the local subnet. The proxy communicates with a WINS server to resolve names and then caches them for a specific time period. See also Windows Internet Name Service (WINS).
WINS referral zone
A zone that refers DNS queries to WINS.
wire protocol
A protocol that defines the formats of client and server messages and interactions with various application programming interfaces (APIs), which provide programmatic access to these protocols.
working set
For a process, the amount of physical memory assigned to a process by the operating system.
Workstation service
The system service that provides network connections and communications.



X.509 version 3 certificate
Version 3 of the ITU-T recommendation X.509 for syntax and format. This is the standard certificate format used by Windows 2000 certificate-based processes. An X.509 certificate includes the public key and information about the person or entity to whom the certificate is issued, information about the certificate, plus optional information about the certification authority (CA) issuing the certificate. See also certificate; public key.





ZAP (.zap) file
Zero Administration Windows application package file. A text file (similar to an .ini file) that describes how to install an application (which command line to use); the properties of the application (name, version, and language); and what entry points the application should automatically install (for file name extension, CLSID, and ProgID). A .zap file is generally stored in the same location on the network as the setup program it references.
In a DNS database, a zone is a contiguous portion of the DNS tree that is administered as a single separate entity by a DNS server. The zone contains resource records for all the names within the zone. In the Macintosh environment, a logical grouping that simplifies browsing the network for resources, such as servers and printers. It is similar to a domain in Windows 2000 Server networking. See also domain; Domain Name System (DNS); DNS server.
zone file
A text file on a DNS name server containing resource records for a zone. See also zone.
zone list
In the Macintosh environment, a list that includes all of the zones associated with a particular network. Not to be confused with Windows 2000 DNS zones. See also zone.
zone transfer
The process by which DNS servers interact to maintain and synchronize authoritative name data. When a DNS server is configured as a secondary server for a zone, it periodically queries the master DNS server configured as its source for the zone. If the version of the zone kept by the master is different than the version on the secondary server, the secondary server will pull zone data from its master DNS server to update zone data. See also full zone transfer (AXFR); incremental zone transfer (IXFR); secondary server; zone.

© 1985-2000 Microsoft Corporation. All rights reserved.

Top of page  Top of page