UCAD Glossary of Terms
What is Active Directory?
Active Directory is a new Windows term for the overall directory database in a Windows domain. The AD, or Active Directory, contains the user accounts, computer accounts, OUs, security groups, and group policy objects. The AD is markedly different from the NT4 domain database (called the SAM) because it uses the LDAP standard. This means that everything in AD is an object with a unique path together with associated attributes. This allows a greater opportunity for interoperability with applications and other directory products. The tree or forest-wide schema determines what types of objects and attributes may be created in AD. Another implication of the new LDAP support is that information in the directory is searchable. Universities are under legal obligations to ensure the privacy of student personal information as requested, so you will find that privacy settings that people have requested may limit this new.
Domain is a Windows term referring to an organizational structure. A domain has two meanings; a domain is a directory container object, and can also refer to the general Windows environment or structure that this directory container provides.
A Windows domain is a group of computers that share a common account database. These computers each have an associated account object that is contained by the domain container. Because computers belonging to the domain share a common account database, file sharing across these computers is simple. A group policy object associated with the domain directory object can control basic rights to computers in a domain.
With Windows 2000, the Windows domain must have a corresponding DNS domain associated with it. A Windows domain requires at least one domain controller, holding the common account database. Domain controllers for the domain must have the associated DNS domain as their primary DNS suffix. All other machines in a Windows domain can have any primary DNS suffix.
This is a Windows term referring to an organizational structure (OU). The term can refer to the structure itself or the general environment under that structure.
A Windows OU is an organization unit (a directory container) for grouping similar accounts or machines. OUs provide a means of delegating authority over a group of accounts or machines to a person (the local administrator). OUs do not require a domain controller or any other physical representation. They are simply a container in the domain database. OUs can contain other OUs to a level of 63 deep. OUs can duplicate actual organizational structure. However, this isn't always recommended.
A tree is a Windows term referring to an organizational structure. The term can be used to refer to the structure itself or the general environment under that structure.
A Windows tree is a group of one or more trusted Windows domains with contiguous DNS domains. "Trusted" means that an authenticated account from one domain isn't rejected by another domain. "Contiguous DNS domains" means that they all have the same root DNS name. A tree shares common global catalog servers, and a common schema. The schema determines what types of objects, classes, and attributes may be created in each of the domain databases in the tree. Trees have no physical representation like a domain controller, but require at least one domain to exist. Trees are used to group Windows domains that need to share files, policy, and resources.
This is a Windows term referring to an organizational structure. The term can refer to the structure itself or the general environment under that structure.
A Windows forest is a group of one or more trusted Windows trees. The trees do not need to have contiguous DNS names. A forest shares a schema and global catalog servers. A single tree can also be a forest.
The schema defines what attributes, objects, classes, and rules are available in the Active Directory. The schema applies forest-wide and is replicated between all domains, so a schema modification in one domain affects the schema in all other domains. Only special administrators known as Schema Administrators have the right to make modifications. Modifications to the schema are rare, and are made to extend support for enterprise application services that benefit from storing user or computer configuration data centrally. Microsoft Exchange 2000 is a good example of such an application that requires a schema modification.
The global catalog server's function is to process directory searches for the entire forest. Therefore, the GC has a subset of the searchable attributes for all objects in the AD, regardless of the object's parent domain. Among the things in the GC are entries for all the accounts and machines, with a subset of the attributes for each object. A global catalog server must be a domain controller. In the Stanford Windows Infrastructure, both of the WIN domain controllers are global catalog servers.
The top-level domain or forest root domain is the first domain installed in a forest. In the UChicago Windows Infrastructure, this is the WIN domain.
Group policy is a new Windows term for common configuration settings. An administrator can create a group policy that applies to users or computers. This group policy can set certain computer settings such as who can log in to the computer or user settings such whether the user can run control panel applets. Group policy is similar to policy in NT4, but there is a vastly improved performance together with a greater number of common configuration settings. A group policy object (GPO) is a set of settings applied to a site, domain or OU container. The GPO then is applied to every machine or user object under that container. One can configure a GPO with access-control lists (ACLs) to restrict the computers or users to which it is applied.
An access-control list (ACL) is a list of security protections that applies to an object. (An object can be a file, process, event, or anything else having a security descriptor.) An entry in an ACL is an access-control entry (ACE). There are two types of access-control list, discretionary and system. The discretionary access-control list (DACL) is typically what is meant when the term ACL is used. The DACL is an access-control list that is controlled by the owner of an object and that specifies the access particular users or groups can have to the object. The system access-control list (SACL) controls the generation of audit messages for attempts to access a securable object. The ability to get or set an object's SACL is controlled by a privilege typically held only by system administrators.
A SID is a structure of variable length that uniquely identifies a directory object in all Windows NT or 2000 implementations. Directory objects can be users, groups, computers, or group policy objects. The directory objects can be domain based (either in the NT domain accounts database or in Windows 2000 Active Directory) or local to the computer (in the local account database). There is a set of common SIDs called well-known SIDs, which are not unique, but identical across all Windows computers.