• DACL
    See discretionary access-control list.

  • data model
    Active Directory data model is derived from the X.500 data model. The directory holds objects that represent various elements described by attributes. The types of objects stored in the directory are defined in the schema. For each object class, the schema defines what attributes an instance of the class must have, what additional attributes it may have, and which object classes can be a parent of the current object class.

  • DC
    See domain controller or domain component.

  • delegation
    Delegation is one of the most important security features of Active Directory. Delegation allows a higher administrative authority to grant specific administrative rights for containers and subtrees to individuals and groups. This eliminates the need for domain administrators with broad authority over large segments of users. An access-control entry can grant specific administrative rights on the objects in a container to a user or group. Rights are granted for specific operations on specific object classes using an ACE in the container access-control list.

  • directory
    A directory is a store for object data. For example, a telephone directory stores telephone subscriber data. In a file system, the directory stores file data. In a distributed computing system, like the Internet, there are many objects, such as printers, fax servers, applications, databases, and users.

  • directory client
    A server, workstation, or application that accesses a directory service, using the LDAP protocol, to query the directory for object data.

  • directory partition
    A directory partition, or naming context, is a contiguous Active Directory subtree replicated on one, or more, Windows 2000 domain controllers in a forest. By default, each domain controller has a replica of three partitions: the schema partition, the configuration partition, and a domain partition.

  • directory service
    A service that provides access to data and objects in a directory or network environment.

  • directory system agent
    The directory system agent is the process that provides access to the physical storage for Active Directory.

  • discretionary access-control list
    A list controlled by the owner of an object and that specifies the access that particular users or groups can have to the object.

  • distinguished name
    A fully qualified unique name, used to identify an object in a directory, that specifies the complete path to the object through the hierarchy of directory containers.

  • DN
    See distinguished name.

  • DNS
    See Domain Name System.

  • domain
    In Active Directory, a collection of computer, user, and group objects defined by the administrator. These objects share a common directory database, security policies, and security relationships with other domains.

  • domain component
    A domain component is used to indicate an element of a distinguished name that is part of a domain. For example, "CN=Jeff Smith,CN=Users,DC=Fabrikam,DC=com" contains the Domain Components "Fabrikam" and "com".

  • domain controller
    A server computer, running on Windows NT, Windows 2000, or Windows Server 2003 that contains a replica of all the objects and object attributes in the domain.

  • domain forest
    Also called a forest. A logical structure formed by combining two or more Windows 2000 or Windows Server 2003 domain trees.

  • domain local group
    A group that can contain members from any domain, but can be granted permissions only to resources in its own domain.

  • Domain Name System
    A hierarchical naming system for identifying Transmission Control Protocol/Internet Protocol (TCP/IP) hosts on the Internet.

  • domain partition
    A directory partition that contains the objects, such as users and computers, associated with the local domain.

  • domain tree
    A hierarchical grouping of Windows 2000 or Windows Server 2003 domains.

  • DSA
    See directory system agent.