Revision #5

You are currently reviewing an older revision of this page.
Go to current version

This is a glossary of terms and acronyms used in Active Directory and related technologies:

A  | B  | C  | D  | E  | F  | G  | H  | I  | J  | K  | L  | M  | N  | O  | P  | Q  | R  | S  | T  | U  | V  | W  | X  | Y  | Z



Acronym for Access Control Entry. Individual entries in a security descriptor (called an access control list or ACL). Specifies permissions granted or denied to trustes for the resource to which the ACE applies.


Acronym for Access Control List. A collection of Access Control Entries (ACE's) that specify the security applied to a resource.

Active Directory

Microsoft's directory service database for Windows networks. Stores information about resources on the network and provides a means of centrally organizing, managing, and controlling access to the resources. Recently renamed Active Directory Domain Services, or AD DS. Microsoft also has a product called Active Directory Lightweight Domain Services, or AD LDS (formerly called Active Dirctory Application Mode, or ADAM).


Acronym for Active Directory Directory Services.


Acronym for Active Directory Lightweight Directory Services. This used to be called Active Directory Application Mode, or ADAM. A database for directory-enabled applications that do not need AD DS.



Acronym for Active Directory Application Mode, now renamed Active Directory Lightweight Directory Services (AD LDS).


Acronym for ActiveX Data Objects. ADSI can act as an OLE-DB provider that allows database queries of Active Directory using ADO. Active Directory searches using ADO are only allowed in the LDAP namespace. ADO can also be used to access Microsoft Access databases, SQL Server databases, and even text files.


Active Directory command line tool to prepare a domain or forest for the introduction of new versions of Windows Server domain controllers. Upgrades the schema.


Acronym for Active Directory Service Interface. A library of routines that provide an interface to various directory namespaces, such as Active Directory, the Windows NT SAM account database, Novell bindery, Novell NDS, and Internet Information Server (IIS).


A Windows Support tool for browsing and editing objects in Active Directory.


A string that specifies the provider and the path to an object in a directory. This string can be used to bind to the object in a script or program. In Active Directory, the provider can be either "LDAP://" or "WinNT://". If you use the LDAP provider, then what follows after the "LDAP://" moniker will be the Distinguished Name of the object. If you use the WinNT provider, the path to the object is in the form "Domain\Name", where "Domain" is the NetBIOS name of the domain (or local workstation) and "Name" is the Relative Distinguished Name (RDN) of the object.


Acronym for Active Directory Users and Computers, the MMC snap-in used to manage objects in Active Directory. Besides users and computers, you can also use this tool to manage contacts, groups, containers, and Organizational Units.


Acronym for Advanced Encryption Standard. A specification for the encryption of electronic data used by Kerberos. Supercedes the Data Encryption Standard (DES).


Acronym for Ambiguous Name Resolution, an efficient search algorithm in Active Directory that allows you to specify complex filters involving multiple naming-related attributes in a single clause.


Property or characteristic of an object in Active Directory. The attributes available for each class of object is defined in the Schema. The Schema defines the syntax and properties of each attribute.



Acronym for Backup Domain Controller. In NT domains there was one primary domain controller and zero or more backup domain controllers. The concepts no longer apply in Active Directory, which uses a multi-master database system where all domain controllers are essentially equal.



Acronym for Common Information Model. The repository in the WMI schema that stores class definitions that model WMI managed resources.


Acronym for Common Name. Also the moniker for objects with a common name in their distinguished names, for example "cn=Jim Smith,ou=West,dc=mydomain,dc=com".

Common Name

Name of the attribute with lDAPDisplayName cn, which is the naming attribute for objects of class user, contact, computer, group, and container. The Relative Distinguished Name (RDN) of these objects is the value of the cn attribute, also referred to as the common name of the object. The moniker "cn" is also used in the distinguished names of these objects (for example "cn=Jim Smith,ou=West,dc=mydomain,dc=com").

Configuration Container

The container in Active Directory that specifies the configuration of the forest. Specifies such things as partitions, sites, servers, display specifiers, services, physical locations, well-known security principals, and forest updates.


An object in Active Directory that can contain other objects, like users, contacts, computers, groups, and other containers. Active Directory containers cannot have group policies applied to them.


Command line utiltity to import objects into and export objects from Active Directory using comma delimited text files.



Acronym for Discretionary Access Control List.


Acronym for Domain Controller. Also the moniker for Domain Component, as used in distinguished names (for example "dc=mydomain,dc=com").

DC Locator

The process used by clients to discover domain controllers.


Command line utility used to analyze and report on the state of domain controllers.


Utility used to promote a computer with a Windows Server operating system that is joined to a domain into a domain controller. Installs Active Directory Domain Services. Also used to demote a domain controller by removing AD DS. Note that Server Manager is used instead of dcpromo to promote or demote a computer with Windows Server 2012 or higher.


Acronym for Dynamic Domain Name System, or Dynamic DNS.


Acronym for Data Encryption Standard. A specification for the encryption of electronic data used by Kerberos. Superceded by the Advanced Encryption Standard (AES).


Acronym for Domain Functional Level. Specifies the versions of Windows Server supported as domain controllers in the domain, and the features of Active directory that are available.


Acronym for Dynamic Host Configuration Protocol. Service that provides centralized control of Internet Protocol (IP) addresses. DHCP servers assign dynamic IP addresses and TCP/IP settings to other computers.

Directory Service

Repository of network operating system information to manage users and other resources in a network.

Distinguished Name

A string that uniquely identifies an object in Active Directory. Used by the LDAP provider to bind to the object. Sometimes abbreviated DN, this specifies the name of the object (the Relative Distinguished Name) in it's parent container, and the location of the object in the hierarchical structure of Active Directory. The DN of an object is a string of components (Relative Distinguished Name's) separated by commas (for example "cn=Jim Smith,ou=West,dc=mydomain,dc=com"). The distinguished name combined with the "LDAP://" moniker forms the ADsPath of the object.


Acronym for Directory Information Tree. The Active Directory database file on a Domain Controller is referred to as the DIT. The file name is ntds.dit


Acronym for Domain Name System. The service that resolves computer names into IP addresses.


An X.500-based hierarchical database of containers and objects. Microsoft domains have a DNS domain name, a security service to authenticate and authorize access to resources, and policies that dictate functionality. Domains are boundaries for administration and replication.

Domain Controller

A server with Active Directory installed. A domain controller (DC) is authoritative for the domain to which the server is joined. It contains the Active Directory database for the domain namespace, plus the Configuration and Schema namespaces for the forest.

Domain Naming Master

The Domain Naming Master role holder is the domain controller that controls changes to the forest-wide namespace. The domain controller with this role can add, remove, rename, or move domains in the forest. It is also required to create application partitions. One domain controller in the forest must hold this role.




Acronym for Filtered Attribute Set, the subset of attributes that are not replicated to Read-Only Domain Controllers (RODC's).


Acronym for Forest Functional Level. Specifies the versions of Windows Server supported as domain controllers in the forest, and the features of Active directory that are available.


Acronym for Fine-Grained Password Policy.


A collection of Active Directory trees that share a Configuration container and Schema and are connected through trusts.


Acronym for Fully Qualified Domain Name.


Acronym for Flexible Single Master Operator. These are roles that are assigned only to designated domain controllers, either one in each domain, or one in the forest. The five FSMO roles are:

  • Schema Master (one for the forest)
  • Domain Naming Master (one for the forest)
  • PDC Emulator (one for each domain)
  • RID Master (one for each domain)
  • Infrastructure Master (one for each domain)

Fully Qualified Domain Name

The Fully Qualified Domain Name (FQDN) of a computer is the host name (the NetBIOS name) of the computer, followed by a dot, followed by the DNS name of the domain. The value of the sAMAccountName of the computer should be the NetBIOS name with the "$" character appended at the end. If the distinguished name of the domain is "dc=mycompany,dc=mydomain,dc=com", then the DNS name of the domain will be "". If a computer in this domain has host name "mycomputer", then the FQDN will be "mycomputer,". The FQDN of other classes of objects, like users, will be the value of the sAMAccountName attribute, followed by a dot, followed by the DNS name of the domain.

Functional Level

Specifies the versions of Windows Server supported as domain controllers in the domain or forest, and the features of Active directory that are available.



Acronym for Global Catalog.

Global Catalog

A read-only catalog of all objects in a forest, which contains a subset of the attributes. The subset of attributes is called the partial attribute set (PAS). A domain controller can be designated a GC.


Acronym for Group Policy Management Console, the MMC used to manage group policy objects.


Acronym for Group Policy Object.


Command line utility to update group policy settings.


An object in Active Dirctory that can have members. Members can be users, contacts, computers, or other groups.

Group Policy

Policies linked to Active Directory domains, organizational units, or groups, which are applied to the child objects within. Group Policies are defined in Group Policy Objects (GPO's).


Acronym for Globally Unique IDentifier. A 128-bit integer that should uniquely identify an object. Every object in Active Directory has an objectGUID attribute, which is the GUID of the object.




Interfaces supported by ADSI. Exposes methods and properties of namespace objects.


Acronym for Install From Media, a feature for installing software or enabling features from media.


Acronym for Internet Information Services.

Infrastructure Master

The Infrastructure Master role holder is the domain controller that maintains references, called phantoms, to objects in other domains. One domain controller in each domain must hold this role.


Acronym for InterSite Topology Generator. Automatically creates connection objects in Active Directory between domain controllers to enable replication.




Acronym for Knowledge Consistency Checker. A process in Active Directory that automatically generates and maintains connection objects that describe which naming contexts should be replicated between which domain controllers and when.


Primary authentication method used in Active Directory domains. Uses encrypted tickets to verify the identity of users and services. Older operating systems support DES encryption. Vista, Windows Server 2008, and newer operating systems support AES encryption.



Acronym for Lightweight Directory Access Protocol. A language based on the X.500 directory standard that allows clients and servers to communicate. The LDAP provider allows access to the hierarchical structure of Active Directory, or any LDAP compliant database. The LDAP syntax is a filter syntax used to query LDAP compliant databases.


Command line utility to import objects into and export objects from Active Directory using ldif format text files. Can be used to create, modify, and delete Active Directory objects.


A graphical user interface (GUI) based LDAP client utility used to search, browse, and update LDAP compliant directories, such as Active Directory.



Function or procedure implemented by code.


Acronym for Microsoft Management Console.



Command line utility to report NetBIOS over TCP/IP statistics.


Acronym for Naming Context. A partition (namespace) in Active Directory. Examples include the Schema container, Configuration container, the Domain Naming context for each domain, and any application partitions.


The .NET Framework is a programming model designed to replace the Win32 and COM APIs. The major components are the Common Language Runtime (CLR) and the .NET Framework class libraries.


Acronym for Network Basic Input/Output System. Service allowing applications on separate computers to communicate over a network. Uses NetBIOS over TCP/IP (NBT) protocol. The NetBIOS name of a computer is generally the first 15 characters of the host name, followed by the "$" character. NetBIOS name to IP address resolution is provided by the WINS service on a WINS server.


Command line utility to diagnose network and connectivity problems. Not supported after Windows Server 2003.


Command line utility to manage Active Directory domains and trusts.


Command line utility to preform network administration tasks.


Acronym for Network Operating System. An operating system installed on a server that allows clients to communicate and share resources shared on the server.


Command line utility to diagnose Domain Name Service (DNS) infrastructure problems.


Command line utility to manage Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).



An entry in the directory of a specific class. Objects in Active Directory have attributes appropriate for their class.


Acronym for Object IDentifier. For example, each attribute in the Active Directory schema has a unique X.500 OID (the value of the attributeID attribute of the attribute). All OID values created by Microsoft begin with 1.2.840.113556. OID values are also used to identify attribute syntaxes and filter matching rules.

Organizational Unit

A type of container in an Active Directory domain. It can contain objects like users, computers, contacts, groups, or other OU's or containers. OU's can also have group policies applied.


Acronym for Organizational Unit. Also the naming attribute for organizational unit objects in Active Directory, and the moniker used in their distinguished names (for example "ou=West,dc=mydomain,dc=com").



Acronym for Partial Attribute Set. The subset of attributes of the objects replicated to the Global Catalog.


Acronym for Primary Domain Controller. In NT domains there was one primary domain controller and zero or more backup domain controllers. The concepts no longer apply in Active Directory, which uses a multi-master database system where all domain controllers are essentially equal.

PDC Emulator

The PDC Emulator role holder acts as the Windows NT Primary Domain Controller (PDC) for backward compatibility. It also is used to forward password changes immediately to other domain controllers and serves as the primary time source for the domain. The PDC Emulator is also targeted by most Group Policy tools. One domain controller in each domain must hold this role.


Scripting language and command line shell based on C# and the Microsoft .NET Framework. PowerShell statements can be entered one at a time in the PowerShell command line shell, or in a script with the statements saved in a file with the .ps1 extension.


Fixed values assigned to objects. In Active Directory, the properties of objects are often referred to as attributes. Active Directory attributes themselves have properties as specified in the Schema.


Library of interfaces including methods and properties that expose directory namespaces. Active Directory is supported by the LDAP and WinNT providers.


Acronym for Password Setting Object. Objects in the System container of Active Directory that implement Fine-Grained Password Policies.




Acronym for Relative Distinguished Name.

Relative Distinguished Name

The name of an object in Active Directory relative to it's location in the hierarchical structure of Active Directory. The Relative Distinguished Name, abbreviated RDN, will be the lowest level component of the Distinguished Name. The RDN must be unique in the parent container or OU, while the DN will be unique in the forest.


Command line utility to diagnose Active Directory replication between domain controllers.


The process by which domain controllers keep their Active Directory databases synchronized.


Acronym for Relative IDentifier. All security principals (users, computers, and groups) in Active Directory have a Security ID (SID). SID values include several components, including the RID. The SID without the RID is the same for all objects in a domain. The RID value uniquely identifies the object in the domain.

RID Master

The RID Master role holder is the domain controller responsible for assigning pools of RID's to all domain controllers in the domain. A RID is required whenever a security principal is created in Active Directory. One domain controller in each domain must hold this role.


Acronym for Read-Only Domain Controller. Cannot be used to update objects in Active Directory.


Root Directory Service Entry (or Root DS Entry), an object required of all LDAP compliant directories (such as Active Directory). Exposes a set of properties that are charactistic of the directory.


Acronym for Remote Server Administration Tools.


Acronym for ReplicateSingleObject. A Read-Only Domain Controller (RODC) can request replication of a specifc object with functionality known as a Replicate-Single-Object operation.


Acronym for Resultant Set of Policy.


Acronym for Recipient Update Service.


Acronym for Read-Write Domain Controller. A writeable domain controller, meaning it can be used to update objects in Active Directory. All domain controllers are writeable, unless they are a Read-Only Domain Controller (RODC).



Acronym for System Access Control List.


Acronym for Security Account Manager, the Windows NT account database format. A Windows NT SAM account database exposes a flat namespace.


Defines the structure of the data in a database. In Active Directory, the Schema container defines the object classes and the attributes that apply to each class in Active Directory.

Schema Container

The container within the Configuration container with objects that define the classes in Active Directory and the attributes that apply to the classes.

Schema Master

The Schema Master role holder is the domain controller that can make changes to the Schema. One domain controller in the forest must hold this role.


Acronym for Service Connection Point object. These are objects in Active Directory usually published under the computer object where the corresponding service is installed. Used to maintain information about the service.


Acronym for System.DirectoryServices namespace. The primary namespace used for code that targets Active Directory in the .NET Framework.

Security Principal

An object in Active Directory to which security can be applied. A security principal must have the objectSID attribute, so it can be the trustee in an Access Control Entry (ACE).


A computer with a server operating system that can share resources in a network. A Domain Controller is one type of server.


Acronym for Security IDentifier. All objects in Active Directory that are security principals (users, computers, groups) have the objectSID attribute, which is a SID. The SID uniquely identifies the object for security permissions. The SID value includes several components, including a RID (Relative ID). The SID without the RID is the same for all objects in the domain. Each object in an Active Directory domain has its own unique RID value.


An Active Directory site defines the boundaries of high-speed connectivity for optimal replication and authentication. Sites are defined in the Configuration container of Active Directory.

Site Link

An object in Active Directory that defines the connection between sites, allowing them to replicate with each other.


Acronym for Start Of Authority. Records created by Read-Only Domain Controllers for read-only DNS zones.


Service Records.


Acronym for Secure Sockets Layer.


A portion of a network defined by a subnet mask applied to the IP addresses of the components. Subnets are defined in the Configuration container of Active Directory.



Service Ticket.


Acronym for Ticket-Granting Ticket.


Deleted objects in the "Deleted Objects" container are referred to as tombstones. When an object is deleted from Active Directory it, with most of its attributes, is moved to the "Deleted Objects" container. Objects remain in this container, where they can be reanimated, for the tombstone period after which they are permanently deleted.


A collection of Active Directory hierarchical domains in a contiguous namespace.


A relationship between domains that allows access by objects in one domain to resources in another.


The identity of the object to which an Access Control Entry applies.



Acronym for User Principal Name, or the userPrincipalName attribute.


Acronym for Update Sequence Number.


Acronym for Up-To-Datedness Vector.



Visual Basic Script Edition, a subset of the classic Visual Basic language. Programs written in VBScript are saved in files with the .vbs extension. VBScript programs can be run with either of two host programs, cscript.exe or wscript.exe.


Acronym for Virtual List View. Searching capability allowing display of results without returning every entry.



Service that synchronizes the time on all computers in the forest.


Windows NT namespace provider, supporting the Windows NT SAM account database. The WinNT provider can also be used to access Active Directory, but it exposes it as a flat namespace.


Acronym for Windows Internet Naming Service. Resolves computer NetBIOS names into IP Addresses.


Acronym for Windows Management Instrumentation. WMI is management technology allowing scripts and programs to monitor and control managed resources throughout the network. Resources include hard drives, file systems, operating system settings, processes, services, shares, registry settings, networking components, event logs, users, and groups.


Acronym for WMI Query Language, as subset of ANSI Structured Query Language (SQL) used to query WMI namespaces.


Acronym for Windows Script Host, an ActiveX scripting host providing an environment for the execution of scripts using one of several scripting engines or languages, such as VBScript.





A collection of contiguous hierarchical domain names. Portions of the DNS namespace delegated to one or more name servers.

Revert to this revision