Glossary of Windows terms
This is
a Windows term referring to an organizational structure. A domain has two
meanings; a domain is a directory container object, and can also be used to
refer to the general Windows environment or structure that this directory
container provides.
A
Windows domain is a group of computers which share a common account database.
These computers each have an associated account object which is contained by
the domain container. Because computers belonging to the domain share a common
account database, file sharing across these computers is simple. Basic rights
to computers in a domain can be controlled via a group policy object associated
with the domain directory object.
With
Windows 2000, the Windows domain must have a corresponding DNS domain
associated with it. A Windows domain requires at least one domain controller
where the common account database is held. Domain controllers for the domain
must have the associated DNS domain as their primary DNS suffix. All other
machines in a Windows domain can have any primary DNS suffix.
This
is a Windows term referring to an organizational structure. The term can be
used to refer to the structure itself or the general environment under that
structure.
A Windows OU is an organization unit (a directory container)
for grouping similar accounts or machines. OUs are used to provide a means of
delegating authority over a group of accounts or machines to a person (the
local administrator). OUs do not require a domain controller or any other
physical representation. They are simply a container in the domain database.
OUs can contain other OUs to a level of 63 deep. OUs can be used to duplicate
actual organizational structure. However, this isn’t always recommended.
This
is a Windows term referring to an organizational structure. The term can be
used to refer to the structure itself or the general environment under that
structure.
A Windows tree is a group of 1 or more trusted Windows domains with contiguous DNS domains. “Trusted” means that an authenticated account from one domain isn’t rejected by another domain. “Contiguous DNS domains” means that they all have the same root DNS name. For example, the domains it.win.Stanford.edu and su.win.Stanford.edu are contiguous, whereas fred.com and win.Stanford.edu are not contiguous. A tree shares common global catalog servers, and a common schema. The schema determines what types of objects, classes, and attributes may be created in each of the domain databases in the tree. Trees have no physical representation like a domain controller, but require at least one domain to exist. Trees are used to group Windows domains which need to share files, policy, and resources.
This is a Windows term referring to an organizational structure. The term can be used to refer to the structure itself or the general environment under that structure.
A Windows forest is a group of 1 or more trusted Windows trees. The trees do not need to have contiguous DNS names. A forest shares a schema and global catalog servers. A single tree can also be called a forest.
This is a Windows term referring to an organizational structure. Sites are manually defined groupings of subnets. One typically groups subnets which have high bandwidth connectivity in the same site. Objects in a site share the same global catalog servers, and can have a common set of group policies applied to them. Universities typically have a single site, but might have multiple sites if they have more than one campus.
Active Directory is a new Windows term for the overall directory database in a Windows domain. The AD, or Active Directory, contains the user accounts, computer accounts, OUs, security groups, and group policy objects. The AD is markedly different from the NT4 domain database (called the SAM) because it is based on the LDAP standard. This means that everything in AD is an object with a unique path together with associated attributes. This allows a greater opportunity for interoperability with applications and other directory products. The tree or forest-wide schema determines what types of objects and attributes may be created in AD. Another implication of the new LDAP support is that information in the directory is searchable. Universities are under legal obligations to ensure the privacy of student personal information as requested, so you will find that this new functionality may be limited by privacy settings that people have requested.
The
schema defines what attributes, objects, classes, and rules are available in
the Active Directory. The schema is shared by AD forest-wide and is replicated
between all domains, so a schema modification in one domain affects the schema
in all other domains. Only special administrators known as Schema
Administrators have the right to make modifications. Modifications to the
schema are rare, and are made to extend support for enterprise application
services which benefit from storing user or computer configuration data
centrally. Microsoft Exchange 2000 is a good example of such an application
which requires a schema modification.
?: What’s a global catalog server?
The global catalog server’s function is to process directory searches for the entire forest. Therefore, the GC has a subset of the searchable attributes for all objects in the AD, regardless of the object’s parent domain. Among the things in the GC are entries for all the accounts and machines, with a subset of the attributes for each object. A global catalog server must be a domain controller. In the Stanford Windows Infrastructure, both of the WIN domain controllers are global catalog servers.
?: What is the top-level domain or the forest root domain?
The top-level domain or forest
root domain is the first domain installed in a forest. In the Stanford Windows
Infrastructure, this is the WIN domain.
?: What is group policy or a GPO?
Group policy is a new Windows term for common configuration settings. An administrator can create a group policy which applies to users or computers. This group policy can set certain computer settings such as who can login to the computer or user settings such whether the user can run control panel applets. Group policy is similar to what was called policy in NT4, but there is a vastly improved performance together with a greater number of common configuration settings. A GPO, or group policy object, is a set of settings applied to a site, domain or OU container. The GPO then is applied to every machine or user object under that container. One can configure a GPO with ACLs to restrict the computers or users to which it is applied. One can read further about how group policy is processed here.
?: What is the group policy loopback feature?
Group Policy is applied to a user or computer, based upon where the user or computer object is located in the Active Directory. The computer’s GPOs are applied at computer startup. The user’s GPOs are applied at login. However, in some cases, users may need policy applied to them, based upon the location of the computer object, not the location of the user object. The Group Policy loopback feature gives the administrator the ability to apply Group Policy, based upon the computer that the user is logging onto. The computer’s GPOs are still retrieved at computer startup, but the user portion of these GPOs isn’t applied until a user logins in. More detail can be found at http://windows.stanford.edu/docs/gpoorder.htm.
?: What is an ACL or access-control list?
A list of security protections that applies to an object.
(An object can be a file, process, event, or anything else having a security
descriptor.) An entry in an access-control list (ACL) is an access-control
entry (ACE). There are two types of access-control list, discretionary and
system. The discretionary
access-control list (DACL) is typically what is meant when the term ACL is
used. The DACL is an access-control list that is controlled by the owner of an
object and that specifies the access particular users or groups can have to the
object. The system access-control
list (SACL) controls the generation of audit messages for attempts to access a
securable object. The ability to get or set an object's SACL is controlled by a
privilege typically held only by system administrators.
?: What is an ACE or access-control entry?
An entry in an access-control list (ACL). An ACE contains a set of access rights and a security identifier (SID) that identifies a trustee for whom the rights are allowed, denied, or audited.
A structure of variable length that uniquely identifies a directory object in all Windows NT or 2000 implementations. Directory objects can be users, groups, computers, or group policy objects. The directory objects can be domain based (either in the NT domain accounts database or in Windows 2000 Active Directory) or local to the computer (in the local account database). There is a set of common SIDs called well-known SIDs which are not unique, but identical across all Windows computers.