This is a glossary of terms and acronyms used in Active Directory and related technologies:

A  | B  | C  | D  | E  | F  | G  | H  | I  | J  | K  | L  | M  | N  | O  | P  | Q  | R  | S  | T  | U  | V  | W  | X  | Y  | Z

A

AAD

Acronym for Azure Active Directory. Active Directory Directory Services in the Windows Azure cloud. Windows Azure is the Microsoft cloud computing platform, and one of the services available is Active Directory.

ACE

Acronym for Access Control Entry. Individual entries in a security descriptor (called an access control list or ACL). Specifies permissions granted or denied to trustes for the resource to which the ACE applies.

ACL

Acronym for Access Control List. A collection of Access Control Entries (ACE's) that specify the security applied to a resource.

Active Directory

Microsoft's directory service database for Windows networks. Stores information about resources on the network and provides a means of centrally organizing, managing, and controlling access to the resources. Recently renamed Active Directory Domain Services, or AD DS. Microsoft also has a product called Active Directory Lightweight Domain Services, or AD LDS (formerly called Active Dirctory Application Mode, or ADAM).

AD DS

Acronym for Active Directory Directory Services.

AD LDS

Acronym for Active Directory Lightweight Directory Services. This used to be called Active Directory Application Mode, or ADAM. A database for directory-enabled applications that do not need AD DS.

 

ADAM

Acronym for Active Directory Application Mode, now renamed Active Directory Lightweight Directory Services (AD LDS).

ADO

Acronym for ActiveX Data Objects. ADSI can act as an OLE-DB provider that allows database queries of Active Directory using ADO. Active Directory searches using ADO are only allowed in the LDAP namespace. ADO can also be used to access Microsoft Access databases, SQL Server databases, and even text files.

adprep

Active Directory command line tool to prepare a domain or forest for the introduction of new versions of Windows Server domain controllers. Upgrades the schema.

ADSI

Acronym for Active Directory Service Interface. A library of routines that provide an interface to various directory namespaces, such as Active Directory, the Windows NT SAM account database, Novell bindery, Novell NDS, and Internet Information Server (IIS).

ADSIEdit

A Windows Support tool for browsing and editing objects in Active Directory.

ADsPath

A string that specifies the provider and the path to an object in a directory. This string can be used to bind to the object in a script or program. In Active Directory, the provider can be either "LDAP://" or "WinNT://". If you use the LDAP provider, then what follows after the "LDAP://" moniker will be the Distinguished Name of the object. If you use the WinNT provider, the path to the object is in the form "Domain\Name", where "Domain" is the NetBIOS name of the domain (or local workstation) and "Name" is the Relative Distinguished Name (RDN) of the object.

ADUC

Acronym for Active Directory Users and Computers, the MMC snap-in used to manage objects in Active Directory. Besides users and computers, you can also use this tool to manage contacts, groups, containers, and Organizational Units.

AES

Acronym for Advanced Encryption Standard. A specification for the encryption of electronic data used by Kerberos. Supercedes the Data Encryption Standard (DES).

ANR

Acronym for Ambiguous Name Resolution, an efficient search algorithm in Active Directory that allows you to specify complex filters involving multiple naming-related attributes in a single clause.

Attribute

Property or characteristic of an object in Active Directory. The attributes available for each class of object is defined in the Schema. The Schema defines the syntax and properties of each attribute.

B

BDC

Acronym for Backup Domain Controller. In NT domains there was one primary domain controller and zero or more backup domain controllers. The concepts no longer apply in Active Directory, which uses a multi-master database system where all domain controllers are essentially equal.

C

CIM

Acronym for Common Information Model. The repository in the WMI schema that stores class definitions that model WMI managed resources.

CN

Acronym for Common Name. Also the moniker for objects with a common name in their distinguished names, for example "cn=Jim Smith,ou=West,dc=mydomain,dc=com".

Common Name

Name of the attribute with lDAPDisplayName cn, which is the naming attribute for objects of class user, contact, computer, group, and container. The Relative Distinguished Name (RDN) of these objects is the value of the cn attribute, also referred to as the common name of the object. The moniker "cn" is also used in the distinguished names of these objects (for example "cn=Jim Smith,ou=West,dc=mydomain,dc=com").

Configuration Container

The container in Active Directory that specifies the configuration of the forest. Specifies such things as partitions, sites, servers, display specifiers, services, physical locations, well-known security principals, and forest updates.

Container

An object in Active Directory that can contain other objects, like users, contacts, computers, groups, and other containers. Active Directory containers cannot have group policies applied to them.

csvde

Command line utiltity to import objects into and export objects from Active Directory using comma delimited text files.

D

DACL

Acronym for Discretionary Access Control List.

DC

Acronym for Domain Controller. Also the moniker for Domain Component, as used in distinguished names (for example "dc=mydomain,dc=com").

DC Locator

The process used by clients to discover domain controllers.

dcdiag

Command line utility used to analyze and report on the state of domain controllers.

dcpromo

Utility used to promote a computer with a Windows Server operating system that is joined to a domain into a domain controller. Installs Active Directory Domain Services. Also used to demote a domain controller by removing AD DS. Note that Server Manager is used instead of dcpromo to promote or demote a computer with Windows Server 2012 or higher.

DDNS

Acronym for Dynamic Domain Name System, or Dynamic DNS.

DES

Acronym for Data Encryption Standard. A specification for the encryption of electronic data used by Kerberos. Superceded by the Advanced Encryption Standard (AES).

DFL

Acronym for Domain Functional Level. Specifies the versions of Windows Server supported as domain controllers in the domain, and the features of Active directory that are available.

DHCP

Acronym for Dynamic Host Configuration Protocol. Service that provides centralized control of Internet Protocol (IP) addresses. DHCP servers assign dynamic IP addresses and TCP/IP settings to other computers.

Directory Service

Repository of network operating system information to manage users and other resources in a network.

Distinguished Name

A string that uniquely identifies an object in Active Directory. Used by the LDAP provider to bind to the object. Sometimes abbreviated DN, this specifies the name of the object (the Relative Distinguished Name) in it's parent container, and the location of the object in the hierarchical structure of Active Directory. The DN of an object is a string of components (Relative Distinguished Name's) separated by commas (for example "cn=Jim Smith,ou=West,dc=mydomain,dc=com"). The distinguished name combined with the "LDAP://" moniker forms the ADsPath of the object.

DIT

Acronym for Directory Information Tree. The Active Directory database file on a Domain Controller is referred to as the DIT. The file name is ntds.dit

DNS

Acronym for Domain Name System. The service that resolves computer names into IP addresses.

Domain

An X.500-based hierarchical database of containers and objects. Microsoft domains have a DNS domain name, a security service to authenticate and authorize access to resources, and policies that dictate functionality. Domains are boundaries for administration and replication.

Domain Controller

A server with Active Directory installed. A domain controller (DC) is authoritative for the domain to which the server is joined. It contains the Active Directory database for the domain namespace, plus the Configuration and Schema namespaces for the forest.

Domain Naming Master

The Domain Naming Master role holder is the domain controller that controls changes to the forest-wide namespace. The domain controller with this role can add, remove, rename, or move domains in the forest. It is also required to create application partitions. One domain controller in the forest must hold this role.

E

F

FAS

Acronym for Filtered Attribute Set, the subset of attributes that are not replicated to Read-Only Domain Controllers (RODC's).

FFL

Acronym for Forest Functional Level. Specifies the versions of Windows Server supported as domain controllers in the forest, and the features of Active directory that are available.

FGPP

Acronym for Fine-Grained Password Policy.

Forest

A collection of Active Directory trees that share a Configuration container and Schema and are connected through trusts.

FQDN

Acronym for Fully Qualified Domain Name.

FSMO

Acronym for Flexible Single Master Operator. These are roles that are assigned only to designated domain controllers, either one in each domain, or one in the forest. The five FSMO roles are:

• Schema Master (one for the forest)
• Domain Naming Master (one for the forest)
• PDC Emulator (one for each domain)
• RID Master (one for each domain)
• Infrastructure Master (one for each domain)

Fully Qualified Domain Name

The Fully Qualified Domain Name (FQDN) of a computer is the host name (the NetBIOS name) of the computer, followed by a dot, followed by the DNS name of the domain. The value of the sAMAccountName of the computer should be the NetBIOS name with the "$" character appended at the end. If the distinguished name of the domain is "dc=mycompany,dc=mydomain,dc=com", then the DNS name of the domain will be "mycompany.mydomain.com". If a computer in this domain has host name "mycomputer", then the FQDN will be "mycomputer,mycompany.mydomain.com". The FQDN of other classes of objects, like users, will be the value of the sAMAccountName attribute, followed by a dot, followed by the DNS name of the domain.

Functional Level

Specifies the versions of Windows Server supported as domain controllers in the domain or forest, and the features of Active directory that are available.

G

GC

Acronym for Global Catalog.

Global Catalog

A read-only catalog of all objects in a forest, which contains a subset of the attributes. The subset of attributes is called the partial attribute set (PAS). A domain controller can be designated a GC.

GPMC

Acronym for Group Policy Management Console, the MMC used to manage group policy objects.

GPO

Acronym for Group Policy Object.

gpupdate

Command line utility to update group policy settings.

Group

An object in Active Dirctory that can have members. Members can be users, contacts, computers, or other groups.

Group Policy

Policies linked to Active Directory domains, organizational units, or groups, which are applied to the child objects within. Group Policies are defined in Group Policy Objects (GPO's).

GUID

Acronym for Globally Unique IDentifier. A 128-bit integer that should uniquely identify an object. Every object in Active Directory has an objectGUID attribute, which is the GUID of the object.

H

I

IADs

Interfaces supported by ADSI. Exposes methods and properties of namespace objects.

IFM

Acronym for Install From Media, a feature for installing software or enabling features from media.

IIS

Acronym for Internet Information Services.

Infrastructure Master

The Infrastructure Master role holder is the domain controller that maintains references, called phantoms, to objects in other domains. One domain controller in each domain must hold this role.

ISTG

Acronym for InterSite Topology Generator. Automatically creates connection objects in Active Directory between domain controllers to enable replication.

J

K

KCC

Acronym for Knowledge Consistency Checker. A process in Active Directory that automatically generates and maintains connection objects that describe which naming contexts should be replicated between which domain controllers and when.

Kerberos

Primary authentication method used in Active Directory domains. Uses encrypted tickets to verify the identity of users and services. Older operating systems support DES encryption. Vista, Windows Server 2008, and newer operating systems support AES encryption.

L

LDAP

Acronym for Lightweight Directory Access Protocol. A language based on the X.500 directory standard that allows clients and servers to communicate. The LDAP provider allows access to the hierarchical structure of Active Directory, or any LDAP compliant database. The LDAP syntax is a filter syntax used to query LDAP compliant databases.

ldifde

Command line utility to import objects into and export objects from Active Directory using ldif format text files. Can be used to create, modify, and delete Active Directory objects.

LDP

A graphical user interface (GUI) based LDAP client utility used to search, browse, and update LDAP compliant directories, such as Active Directory.

M

Method

Function or procedure implemented by code.

MFA

Acronym for Multi-Factor Authentication. Authentication that requires more than one verification method. Adds a second layer of security to logons. The verification methods can include: a password, biometrics, challenge response question, trusted device characteristics. A related concept is Two-Factor Authentication, or 2FA.

MMC

Acronym for Microsoft Management Console.

N

nbstat

Command line utility to report NetBIOS over TCP/IP statistics.

NC

Acronym for Naming Context. A partition (namespace) in Active Directory. Examples include the Schema container, Configuration container, the Domain Naming context for each domain, and any application partitions.

.NET

The .NET Framework is a programming model designed to replace the Win32 and COM APIs. The major components are the Common Language Runtime (CLR) and the .NET Framework class libraries.

NetBIOS

Acronym for Network Basic Input/Output System. Service allowing applications on separate computers to communicate over a network. Uses NetBIOS over TCP/IP (NBT) protocol. The NetBIOS name of a computer is generally the first 15 characters of the host name, followed by the "$" character. NetBIOS name to IP address resolution is provided by the WINS service on a WINS server.

netdiag

Command line utility to diagnose network and connectivity problems. Not supported after Windows Server 2003.

netdom

Command line utility to manage Active Directory domains and trusts.

nltest

Command line utility to preform network administration tasks.

NOS

Acronym for Network Operating System. An operating system installed on a server that allows clients to communicate and share resources shared on the server.

nslookup

Command line utility to diagnose Domain Name Service (DNS) infrastructure problems.

ntdsutil

Command line utility to manage Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).

O

Object

An entry in the directory of a specific class. Objects in Active Directory have attributes appropriate for their class.

OID

Acronym for Object IDentifier. For example, each attribute in the Active Directory schema has a unique X.500 OID (the value of the attributeID attribute of the attribute). All OID values created by Microsoft begin with 1.2.840.113556. OID values are also used to identify attribute syntaxes and filter matching rules.

Organizational Unit

A type of container in an Active Directory domain. It can contain objects like users, computers, contacts, groups, or other OU's or containers. OU's can also have group policies applied.

OU

Acronym for Organizational Unit. Also the naming attribute for organizational unit objects in Active Directory, and the moniker used in their distinguished names (for example "ou=West,dc=mydomain,dc=com").

P

PAS

Acronym for Partial Attribute Set. The subset of attributes of the objects replicated to the Global Catalog.

PDC

Acronym for Primary Domain Controller. In NT domains there was one primary domain controller and zero or more backup domain controllers. The concepts no longer apply in Active Directory, which uses a multi-master database system where all domain controllers are essentially equal.

PDC Emulator

The PDC Emulator role holder acts as the Windows NT Primary Domain Controller (PDC) for backward compatibility. It also is used to forward password changes immediately to other domain controllers and serves as the primary time source for the domain. The PDC Emulator is also targeted by most Group Policy tools. One domain controller in each domain must hold this role.

PowerShell

Scripting language and command line shell based on C# and the Microsoft .NET Framework. PowerShell statements can be entered one at a time in the PowerShell command line shell, or in a script with the statements saved in a file with the .ps1 extension.

Property

Fixed values assigned to objects. In Active Directory, the properties of objects are often referred to as attributes. Active Directory attributes themselves have properties as specified in the Schema.

Provider

Library of interfaces including methods and properties that expose directory namespaces. Active Directory is supported by the LDAP and WinNT providers.

PSO

Acronym for Password Setting Object. Objects in the System container of Active Directory that implement Fine-Grained Password Policies.

Q

R

RDN

Acronym for Relative Distinguished Name.

Relative Distinguished Name

The name of an object in Active Directory relative to it's location in the hierarchical structure of Active Directory. The Relative Distinguished Name, abbreviated RDN, will be the lowest level component of the Distinguished Name. The RDN must be unique in the parent container or OU, while the DN will be unique in the forest.

repadmin

Command line utility to diagnose Active Directory replication between domain controllers.

Replication

The process by which domain controllers keep their Active Directory databases synchronized.

RID

Acronym for Relative IDentifier. All security principals (users, computers, and groups) in Active Directory have a Security ID (SID). SID values include several components, including the RID. The SID without the RID is the same for all objects in a domain. The RID value uniquely identifies the object in the domain.

RID Master

The RID Master role holder is the domain controller responsible for assigning pools of RID's to all domain controllers in the domain. A RID is required whenever a security principal is created in Active Directory. One domain controller in each domain must hold this role.

RODC

Acronym for Read-Only Domain Controller. Cannot be used to update objects in Active Directory.

RootDSE

Root Directory Service Entry (or Root DS Entry), an object required of all LDAP compliant directories (such as Active Directory). Exposes a set of properties that are charactistic of the directory.

RSAT

Acronym for Remote Server Administration Tools.

RSO

Acronym for ReplicateSingleObject. A Read-Only Domain Controller (RODC) can request replication of a specifc object with functionality known as a Replicate-Single-Object operation.

RSoP

Acronym for Resultant Set of Policy.

RUS

Acronym for Recipient Update Service.

RWDC

Acronym for Read-Write Domain Controller. A writeable domain controller, meaning it can be used to update objects in Active Directory. All domain controllers are writeable, unless they are a Read-Only Domain Controller (RODC).

S

SACL

Acronym for System Access Control List.

SAM

Acronym for Security Account Manager, the Windows NT account database format. A Windows NT SAM account database exposes a flat namespace.

Schema

Defines the structure of the data in a database. In Active Directory, the Schema container defines the object classes and the attributes that apply to each class in Active Directory.

Schema Container

The container within the Configuration container with objects that define the classes in Active Directory and the attributes that apply to the classes.

Schema Master

The Schema Master role holder is the domain controller that can make changes to the Schema. One domain controller in the forest must hold this role.

SCP

Acronym for Service Connection Point object. These are objects in Active Directory usually published under the computer object where the corresponding service is installed. Used to maintain information about the service.

SDS

Acronym for System.DirectoryServices namespace. The primary namespace used for code that targets Active Directory in the .NET Framework.

Security Principal

An object in Active Directory to which security can be applied. A security principal must have the objectSID attribute, so it can be the trustee in an Access Control Entry (ACE).

Server

A computer with a server operating system that can share resources in a network. A Domain Controller is one type of server.

SID

Acronym for Security IDentifier. All objects in Active Directory that are security principals (users, computers, groups) have the objectSID attribute, which is a SID. The SID uniquely identifies the object for security permissions. The SID value includes several components, including a RID (Relative ID). The SID without the RID is the same for all objects in the domain. Each object in an Active Directory domain has its own unique RID value.

Site

An Active Directory site defines the boundaries of high-speed connectivity for optimal replication and authentication. Sites are defined in the Configuration container of Active Directory.

Site Link

An object in Active Directory that defines the connection between sites, allowing them to replicate with each other.

SOA

Acronym for Start Of Authority. Records created by Read-Only Domain Controllers for read-only DNS zones.

SRV

Service Records.

SSL

Acronym for Secure Sockets Layer.

Subnet

A portion of a network defined by a subnet mask applied to the IP addresses of the components. Subnets are defined in the Configuration container of Active Directory.

T

TGS

Service Ticket.

TGT

Acronym for Ticket-Granting Ticket.

Tombstone

Deleted objects in the "Deleted Objects" container are referred to as tombstones. When an object is deleted from Active Directory it, with most of its attributes, is moved to the "Deleted Objects" container. Objects remain in this container, where they can be reanimated, for the tombstone period after which they are permanently deleted.

Tree

A collection of Active Directory hierarchical domains in a contiguous namespace.

Trust

A relationship between domains that allows access by objects in one domain to resources in another.

Trustee

The identity of the object to which an Access Control Entry applies.

U

UPN

Acronym for User Principal Name, or the userPrincipalName attribute.

USN

Acronym for Update Sequence Number.

UTDV

Acronym for Up-To-Datedness Vector.

V

VBScript

Visual Basic Script Edition, a subset of the classic Visual Basic language. Programs written in VBScript are saved in files with the .vbs extension. VBScript programs can be run with either of two host programs, cscript.exe or wscript.exe.

VLV

Acronym for Virtual List View. Searching capability allowing display of results without returning every entry.

W

W32Time

Service that synchronizes the time on all computers in the forest.

WinNT

Windows NT namespace provider, supporting the Windows NT SAM account database. The WinNT provider can also be used to access Active Directory, but it exposes it as a flat namespace.

WINS

Acronym for Windows Internet Naming Service. Resolves computer NetBIOS names into IP Addresses.

WMI

Acronym for Windows Management Instrumentation. WMI is management technology allowing scripts and programs to monitor and control managed resources throughout the network. Resources include hard drives, file systems, operating system settings, processes, services, shares, registry settings, networking components, event logs, users, and groups.

WQL

Acronym for WMI Query Language, as subset of ANSI Structured Query Language (SQL) used to query WMI namespaces.

WSH

Acronym for Windows Script Host, an ActiveX scripting host providing an environment for the execution of scripts using one of several scripting engines or languages, such as VBScript.

X

Y

Z

Zone

A collection of contiguous hierarchical domain names. Portions of the DNS namespace delegated to one or more name servers.