This is a glossary of terms and acronyms used in Active Directory and related technologies: A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z
AAD
Acronym for Azure Active Directory. Active Directory Directory Services in the Windows Azure cloud. Windows Azure is the Microsoft cloud computing platform, and one of the services available is Active Directory.
ACE
Acronym for Access Control Entry. Individual entries in a security descriptor (called an access control list or ACL). Specifies permissions granted or denied to trustes for the resource to which the ACE applies.
ACL
Acronym for Access Control List. A collection of Access Control Entries (ACE's) that specify the security applied to a resource.
Active Directory
Microsoft's directory service database for Windows networks. Stores information about resources on the network and provides a means of centrally organizing, managing, and controlling access to the resources. Recently renamed Active Directory Domain Services, or AD DS. Microsoft also has a product called Active Directory Lightweight Domain Services, or AD LDS (formerly called Active Dirctory Application Mode, or ADAM).
AD DS
Acronym for Active Directory Directory Services.
AD LDS
Acronym for Active Directory Lightweight Directory Services. This used to be called Active Directory Application Mode, or ADAM. A database for directory-enabled applications that do not need AD DS.
ADAM
Acronym for Active Directory Application Mode, now renamed Active Directory Lightweight Directory Services (AD LDS).
ADO
Acronym for ActiveX Data Objects. ADSI can act as an OLE-DB provider that allows database queries of Active Directory using ADO. Active Directory searches using ADO are only allowed in the LDAP namespace. ADO can also be used to access Microsoft Access databases, SQL Server databases, and even text files.
adprep
Active Directory command line tool to prepare a domain or forest for the introduction of new versions of Windows Server domain controllers. Upgrades the schema.
ADSI
Acronym for Active Directory Service Interface. A library of routines that provide an interface to various directory namespaces, such as Active Directory, the Windows NT SAM account database, Novell bindery, Novell NDS, and Internet Information Server (IIS).
ADSIEdit
A Windows Support tool for browsing and editing objects in Active Directory.
ADsPath
A string that specifies the provider and the path to an object in a directory. This string can be used to bind to the object in a script or program. In Active Directory, the provider can be either "LDAP://" or "WinNT://". If you use the LDAP provider, then what follows after the "LDAP://" moniker will be the Distinguished Name of the object. If you use the WinNT provider, the path to the object is in the form "Domain\Name", where "Domain" is the NetBIOS name of the domain (or local workstation) and "Name" is the Relative Distinguished Name (RDN) of the object.
ADUC
Acronym for Active Directory Users and Computers, the MMC snap-in used to manage objects in Active Directory. Besides users and computers, you can also use this tool to manage contacts, groups, containers, and Organizational Units.
AES
Acronym for Advanced Encryption Standard. A specification for the encryption of electronic data used by Kerberos. Supercedes the Data Encryption Standard (DES).
ANR
Acronym for Ambiguous Name Resolution, an efficient search algorithm in Active Directory that allows you to specify complex filters involving multiple naming-related attributes in a single clause.
Attribute
Property or characteristic of an object in Active Directory. The attributes available for each class of object is defined in the Schema. The Schema defines the syntax and properties of each attribute.
BDC
Acronym for Backup Domain Controller. In NT domains there was one primary domain controller and zero or more backup domain controllers. The concepts no longer apply in Active Directory, which uses a multi-master database system where all domain controllers are essentially equal.
CIM
Acronym for Common Information Model. The repository in the WMI schema that stores class definitions that model WMI managed resources.
CN
Acronym for Common Name. Also the moniker for objects with a common name in their distinguished names, for example "cn=Jim Smith,ou=West,dc=mydomain,dc=com".
Common Name
Name of the attribute with lDAPDisplayName cn, which is the naming attribute for objects of class user, contact, computer, group, and container. The Relative Distinguished Name (RDN) of these objects is the value of the cn attribute, also referred to as the common name of the object. The moniker "cn" is also used in the distinguished names of these objects (for example "cn=Jim Smith,ou=West,dc=mydomain,dc=com").
Configuration Container
The container in Active Directory that specifies the configuration of the forest. Specifies such things as partitions, sites, servers, display specifiers, services, physical locations, well-known security principals, and forest updates.
Container
An object in Active Directory that can contain other objects, like users, contacts, computers, groups, and other containers. Active Directory containers cannot have group policies applied to them.
csvde
Command line utiltity to import objects into and export objects from Active Directory using comma delimited text files.
DACL
Acronym for Discretionary Access Control List.
DC
Acronym for Domain Controller. Also the moniker for Domain Component, as used in distinguished names (for example "dc=mydomain,dc=com").
DC Locator
The process used by clients to discover domain controllers.
dcdiag
Command line utility used to analyze and report on the state of domain controllers.
dcpromo
Utility used to promote a computer with a Windows Server operating system that is joined to a domain into a domain controller. Installs Active Directory Domain Services. Also used to demote a domain controller by removing AD DS. Note that Server Manager is used instead of dcpromo to promote or demote a computer with Windows Server 2012 or higher.
DDNS
Acronym for Dynamic Domain Name System, or Dynamic DNS.
DES
Acronym for Data Encryption Standard. A specification for the encryption of electronic data used by Kerberos. Superceded by the Advanced Encryption Standard (AES).
DFL
Acronym for Domain Functional Level. Specifies the versions of Windows Server supported as domain controllers in the domain, and the features of Active directory that are available.
DHCP
Acronym for Dynamic Host Configuration Protocol. Service that provides centralized control of Internet Protocol (IP) addresses. DHCP servers assign dynamic IP addresses and TCP/IP settings to other computers.
Directory Service
Repository of network operating system information to manage users and other resources in a network.
Distinguished Name
A string that uniquely identifies an object in Active Directory. Used by the LDAP provider to bind to the object. Sometimes abbreviated DN, this specifies the name of the object (the Relative Distinguished Name) in it's parent container, and the location of the object in the hierarchical structure of Active Directory. The DN of an object is a string of components (Relative Distinguished Name's) separated by commas (for example "cn=Jim Smith,ou=West,dc=mydomain,dc=com"). The distinguished name combined with the "LDAP://" moniker forms the ADsPath of the object.
DIT
Acronym for Directory Information Tree. The Active Directory database file on a Domain Controller is referred to as the DIT. The file name is ntds.dit
DNS
Acronym for Domain Name System. The service that resolves computer names into IP addresses.
Domain
An X.500-based hierarchical database of containers and objects. Microsoft domains have a DNS domain name, a security service to authenticate and authorize access to resources, and policies that dictate functionality. Domains are boundaries for administration and replication.
Domain Controller
A server with Active Directory installed. A domain controller (DC) is authoritative for the domain to which the server is joined. It contains the Active Directory database for the domain namespace, plus the Configuration and Schema namespaces for the forest.
Domain Naming Master
The Domain Naming Master role holder is the domain controller that controls changes to the forest-wide namespace. The domain controller with this role can add, remove, rename, or move domains in the forest. It is also required to create application partitions. One domain controller in the forest must hold this role.
FAS
Acronym for Filtered Attribute Set, the subset of attributes that are not replicated to Read-Only Domain Controllers (RODC's).
FFL
Acronym for Forest Functional Level. Specifies the versions of Windows Server supported as domain controllers in the forest, and the features of Active directory that are available.
FGPP
Acronym for Fine-Grained Password Policy.
Forest
A collection of Active Directory trees that share a Configuration container and Schema and are connected through trusts.
FQDN
Acronym for Fully Qualified Domain Name.
FSMO
Acronym for Flexible Single Master Operator. These are roles that are assigned only to designated domain controllers, either one in each domain, or one in the forest. The five FSMO roles are:
Fully Qualified Domain Name
The Fully Qualified Domain Name (FQDN) of a computer is the host name (the NetBIOS name) of the computer, followed by a dot, followed by the DNS name of the domain. The value of the sAMAccountName of the computer should be the NetBIOS name with the "$" character appended at the end. If the distinguished name of the domain is "dc=mycompany,dc=mydomain,dc=com", then the DNS name of the domain will be "mycompany.mydomain.com". If a computer in this domain has host name "mycomputer", then the FQDN will be "mycomputer,mycompany.mydomain.com". The FQDN of other classes of objects, like users, will be the value of the sAMAccountName attribute, followed by a dot, followed by the DNS name of the domain.
Functional Level
Specifies the versions of Windows Server supported as domain controllers in the domain or forest, and the features of Active directory that are available.
GC
Acronym for Global Catalog.
Global Catalog
A read-only catalog of all objects in a forest, which contains a subset of the attributes. The subset of attributes is called the partial attribute set (PAS). A domain controller can be designated a GC.
GPMC
Acronym for Group Policy Management Console, the MMC used to manage group policy objects.
GPO
Acronym for Group Policy Object.
gpupdate
Command line utility to update group policy settings.
Group
An object in Active Dirctory that can have members. Members can be users, contacts, computers, or other groups.
Group Policy
Policies linked to Active Directory domains, organizational units, or groups, which are applied to the child objects within. Group Policies are defined in Group Policy Objects (GPO's).
GUID
Acronym for Globally Unique IDentifier. A 128-bit integer that should uniquely identify an object. Every object in Active Directory has an objectGUID attribute, which is the GUID of the object.
IADs
Interfaces supported by ADSI. Exposes methods and properties of namespace objects.
IFM
Acronym for Install From Media, a feature for installing software or enabling features from media.
IIS
Acronym for Internet Information Services.
Infrastructure Master
The Infrastructure Master role holder is the domain controller that maintains references, called phantoms, to objects in other domains. One domain controller in each domain must hold this role.
ISTG
Acronym for InterSite Topology Generator. Automatically creates connection objects in Active Directory between domain controllers to enable replication.
KCC
Acronym for Knowledge Consistency Checker. A process in Active Directory that automatically generates and maintains connection objects that describe which naming contexts should be replicated between which domain controllers and when.
Kerberos
Primary authentication method used in Active Directory domains. Uses encrypted tickets to verify the identity of users and services. Older operating systems support DES encryption. Vista, Windows Server 2008, and newer operating systems support AES encryption.
LDAP
Acronym for Lightweight Directory Access Protocol. A language based on the X.500 directory standard that allows clients and servers to communicate. The LDAP provider allows access to the hierarchical structure of Active Directory, or any LDAP compliant database. The LDAP syntax is a filter syntax used to query LDAP compliant databases.
ldifde
Command line utility to import objects into and export objects from Active Directory using ldif format text files. Can be used to create, modify, and delete Active Directory objects.
LDP
A graphical user interface (GUI) based LDAP client utility used to search, browse, and update LDAP compliant directories, such as Active Directory.
Method
Function or procedure implemented by code.
MFA
Acronym for Multi-Factor Authentication. Authentication that requires more than one verification method. Adds a second layer of security to logons. The verification methods can include: a password, biometrics, challenge response question, trusted device characteristics. A related concept is Two-Factor Authentication, or 2FA.
MMC
Acronym for Microsoft Management Console.
nbstat
Command line utility to report NetBIOS over TCP/IP statistics.
NC
Acronym for Naming Context. A partition (namespace) in Active Directory. Examples include the Schema container, Configuration container, the Domain Naming context for each domain, and any application partitions.
.NET
The .NET Framework is a programming model designed to replace the Win32 and COM APIs. The major components are the Common Language Runtime (CLR) and the .NET Framework class libraries.
NetBIOS
Acronym for Network Basic Input/Output System. Service allowing applications on separate computers to communicate over a network. Uses NetBIOS over TCP/IP (NBT) protocol. The NetBIOS name of a computer is generally the first 15 characters of the host name, followed by the "$" character. NetBIOS name to IP address resolution is provided by the WINS service on a WINS server.
netdiag
Command line utility to diagnose network and connectivity problems. Not supported after Windows Server 2003.
netdom
Command line utility to manage Active Directory domains and trusts.
nltest
Command line utility to preform network administration tasks.
NOS
Acronym for Network Operating System. An operating system installed on a server that allows clients to communicate and share resources shared on the server.
nslookup
Command line utility to diagnose Domain Name Service (DNS) infrastructure problems.
ntdsutil
Command line utility to manage Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).
Object
An entry in the directory of a specific class. Objects in Active Directory have attributes appropriate for their class.
OID
Acronym for Object IDentifier. For example, each attribute in the Active Directory schema has a unique X.500 OID (the value of the attributeID attribute of the attribute). All OID values created by Microsoft begin with 1.2.840.113556. OID values are also used to identify attribute syntaxes and filter matching rules.
Organizational Unit
A type of container in an Active Directory domain. It can contain objects like users, computers, contacts, groups, or other OU's or containers. OU's can also have group policies applied.
OU
Acronym for Organizational Unit. Also the naming attribute for organizational unit objects in Active Directory, and the moniker used in their distinguished names (for example "ou=West,dc=mydomain,dc=com").
PAS
Acronym for Partial Attribute Set. The subset of attributes of the objects replicated to the Global Catalog.
PDC
Acronym for Primary Domain Controller. In NT domains there was one primary domain controller and zero or more backup domain controllers. The concepts no longer apply in Active Directory, which uses a multi-master database system where all domain controllers are essentially equal.
PDC Emulator
The PDC Emulator role holder acts as the Windows NT Primary Domain Controller (PDC) for backward compatibility. It also is used to forward password changes immediately to other domain controllers and serves as the primary time source for the domain. The PDC Emulator is also targeted by most Group Policy tools. One domain controller in each domain must hold this role.
PowerShell
Scripting language and command line shell based on C# and the Microsoft .NET Framework. PowerShell statements can be entered one at a time in the PowerShell command line shell, or in a script with the statements saved in a file with the .ps1 extension.
Property
Fixed values assigned to objects. In Active Directory, the properties of objects are often referred to as attributes. Active Directory attributes themselves have properties as specified in the Schema.
Provider
Library of interfaces including methods and properties that expose directory namespaces. Active Directory is supported by the LDAP and WinNT providers.
PSO
Acronym for Password Setting Object. Objects in the System container of Active Directory that implement Fine-Grained Password Policies.
RDN
Acronym for Relative Distinguished Name.
Relative Distinguished Name
The name of an object in Active Directory relative to it's location in the hierarchical structure of Active Directory. The Relative Distinguished Name, abbreviated RDN, will be the lowest level component of the Distinguished Name. The RDN must be unique in the parent container or OU, while the DN will be unique in the forest.
repadmin
Command line utility to diagnose Active Directory replication between domain controllers.
Replication
The process by which domain controllers keep their Active Directory databases synchronized.
RID
Acronym for Relative IDentifier. All security principals (users, computers, and groups) in Active Directory have a Security ID (SID). SID values include several components, including the RID. The SID without the RID is the same for all objects in a domain. The RID value uniquely identifies the object in the domain.
RID Master
The RID Master role holder is the domain controller responsible for assigning pools of RID's to all domain controllers in the domain. A RID is required whenever a security principal is created in Active Directory. One domain controller in each domain must hold this role.
RODC
Acronym for Read-Only Domain Controller. Cannot be used to update objects in Active Directory.
RootDSE
Root Directory Service Entry (or Root DS Entry), an object required of all LDAP compliant directories (such as Active Directory). Exposes a set of properties that are charactistic of the directory.
RSAT
Acronym for Remote Server Administration Tools.
RSO
Acronym for ReplicateSingleObject. A Read-Only Domain Controller (RODC) can request replication of a specifc object with functionality known as a Replicate-Single-Object operation.
RSoP
Acronym for Resultant Set of Policy.
RUS
Acronym for Recipient Update Service.
RWDC
Acronym for Read-Write Domain Controller. A writeable domain controller, meaning it can be used to update objects in Active Directory. All domain controllers are writeable, unless they are a Read-Only Domain Controller (RODC).
SACL
Acronym for System Access Control List.
SAM
Acronym for Security Account Manager, the Windows NT account database format. A Windows NT SAM account database exposes a flat namespace.
Schema
Defines the structure of the data in a database. In Active Directory, the Schema container defines the object classes and the attributes that apply to each class in Active Directory.
Schema Container
The container within the Configuration container with objects that define the classes in Active Directory and the attributes that apply to the classes.
Schema Master
The Schema Master role holder is the domain controller that can make changes to the Schema. One domain controller in the forest must hold this role.
SCP
Acronym for Service Connection Point object. These are objects in Active Directory usually published under the computer object where the corresponding service is installed. Used to maintain information about the service.
SDS
Acronym for System.DirectoryServices namespace. The primary namespace used for code that targets Active Directory in the .NET Framework.
Security Principal
An object in Active Directory to which security can be applied. A security principal must have the objectSID attribute, so it can be the trustee in an Access Control Entry (ACE).
Server
A computer with a server operating system that can share resources in a network. A Domain Controller is one type of server.
SID
Acronym for Security IDentifier. All objects in Active Directory that are security principals (users, computers, groups) have the objectSID attribute, which is a SID. The SID uniquely identifies the object for security permissions. The SID value includes several components, including a RID (Relative ID). The SID without the RID is the same for all objects in the domain. Each object in an Active Directory domain has its own unique RID value.
Site
An Active Directory site defines the boundaries of high-speed connectivity for optimal replication and authentication. Sites are defined in the Configuration container of Active Directory.
Site Link
An object in Active Directory that defines the connection between sites, allowing them to replicate with each other.
SOA
Acronym for Start Of Authority. Records created by Read-Only Domain Controllers for read-only DNS zones.
SRV
Service Records.
SSL
Acronym for Secure Sockets Layer.
Subnet
A portion of a network defined by a subnet mask applied to the IP addresses of the components. Subnets are defined in the Configuration container of Active Directory.
TGS
Service Ticket.
TGT
Acronym for Ticket-Granting Ticket.
Tombstone
Deleted objects in the "Deleted Objects" container are referred to as tombstones. When an object is deleted from Active Directory it, with most of its attributes, is moved to the "Deleted Objects" container. Objects remain in this container, where they can be reanimated, for the tombstone period after which they are permanently deleted.
Tree
A collection of Active Directory hierarchical domains in a contiguous namespace.
Trust
A relationship between domains that allows access by objects in one domain to resources in another.
Trustee
The identity of the object to which an Access Control Entry applies.
UPN
Acronym for User Principal Name, or the userPrincipalName attribute.
USN
Acronym for Update Sequence Number.
UTDV
Acronym for Up-To-Datedness Vector.
VBScript
Visual Basic Script Edition, a subset of the classic Visual Basic language. Programs written in VBScript are saved in files with the .vbs extension. VBScript programs can be run with either of two host programs, cscript.exe or wscript.exe.
VLV
Acronym for Virtual List View. Searching capability allowing display of results without returning every entry.
W32Time
Service that synchronizes the time on all computers in the forest.
WinNT
Windows NT namespace provider, supporting the Windows NT SAM account database. The WinNT provider can also be used to access Active Directory, but it exposes it as a flat namespace.
WINS
Acronym for Windows Internet Naming Service. Resolves computer NetBIOS names into IP Addresses.
WMI
Acronym for Windows Management Instrumentation. WMI is management technology allowing scripts and programs to monitor and control managed resources throughout the network. Resources include hard drives, file systems, operating system settings, processes, services, shares, registry settings, networking components, event logs, users, and groups.
WQL
Acronym for WMI Query Language, as subset of ANSI Structured Query Language (SQL) used to query WMI namespaces.
WSH
Acronym for Windows Script Host, an ActiveX scripting host providing an environment for the execution of scripts using one of several scripting engines or languages, such as VBScript.
Zone
A collection of contiguous hierarchical domain names. Portions of the DNS namespace delegated to one or more name servers.
Richard Mueller edited Revision 6. Comment: Added MFA
Richard Mueller edited Revision 5. Comment: Added AAD
Richard Mueller edited Revision 3. Comment: Added "Fully Qualified Domain Name"
Richard Mueller edited Revision 2. Comment: The netdiag utility is not supported after Windows Server 2003
Richard Mueller edited Revision 1. Comment: Corrected entry for adprep
Richard Mueller edited Original. Comment: Added to term RSO
good work
Awesome Blog Richard.