You are on page 1of 32

There are five different FSMO roles and they each play a different function in making

Active Directory work:

• PDC Emulator - This role is the most heavily used of all FSMO roles and has the
widest range of functions. The domain controller that holds the PDC Emulator
role is crucial in a mixed environment where Windows NT 4.0 BDCs are still
present. This is because the PDC Emulator role emulates the functions of a
Windows NT 4.0 PDC. But even if you've migrated all your Windows NT 4.0
domain controllers to Windows 2000 or Windows Server 2003, the domain
controller that holds the PDC Emulator role still has a lot to do. For example, the
PDC Emulator is the root time server for synchronizing the clocks of all Windows
computers in your forest. It's critically important that computer clocks are
synchronized across your forest because if they're out by too much then Kerberos
authentication can fail and users won't be able to log on to the network. Another
function of the PDC Emulator is that it is the domain controller to which all
changes to Group Policy are initially made. For example, if you create a new
Group Policy Object (GPO) then this is first created in the directory database and
within the SYSVOL share on the PDC Emulator, and from there the GPO is
replicated to all other domain controllers in the domain. Finally, all password
changes and account lockout issues are handled by the PDC Emulator to ensure
that password changes are replicated properly and account lockout policy is
effective. So even though the PDC Emulator emulates an NT PDC (which is why
this role is called PDC Emulator), it also does a whole lot of other stuff. In fact,
the PDC Emulator role is the most heavily utilized FSMO role so you should
make sure that the domain controller that holds this role has sufficiently beefy
hardware to handle the load. Similarly, if the PDC Emulator role fails then it can
potentially cause the most problems, so the hardware it runs on should be fault
tolerant and reliable. Finally, every domain has its own PDC Emulator role, so if
you have N domains in your forest then you will have N domain controllers with
the PDC Emulator role as well.
• RID Master - This is another domain-specific FSMO role, that is, every domain
in your forest has exactly one domain controller holding the RID Master role. The
purpose of this role is to replenish the pool of unused relative IDs (RIDs) for the
domain and prevent this pool from becoming exhausted. RIDs are used up
whenever you create a new security principle (user or computer account) because
the SID for the new security principle is constructed by combining the domain
SID with a unique RID taken from the pool. So if you run out of RIDS, you won't
be able to create any new user or computer accounts, and to prevent this from
happening the RID Master monitors the RID pool and generates new RIDs to
replenish it when it falls beneath a certain level.
• Infrastructure Master - This is another domain-specific role and its purpose is to
ensure that cross-domain object references are correctly handled. For example, if
you add a user from one domain to a security group from a different domain, the
Infrastructure Master makes sure this is done properly. As you can guess
however, if your Active Directory deployment has only a single domain, then the
Infrastructure Master role does no work at all, and even in a multi-domain
environment it is rarely used except when complex user administration tasks are
performed, so the machine holding this role doesn't need to have much
horsepower at all.
• Schema Master - While the first three FSMO roles described above are domain-
specific, the Schema Master role and the one following are forest-specific and are
found only in the forest root domain (the first domain you create when you create
a new forest). This means there is one and only one Schema Master in a forest,
and the purpose of this role is to replicate schema changes to all other domain
controllers in the forest. Since the schema of Active Directory is rarely changed
however, the Schema Master role will rarely do any work. Typical scenarios
where this role is used would be when you deploy Exchange Server onto your
network, or when you upgrade domain controllers from Windows 2000 to
Windows Server 2003, as these situations both involve making changes to the
Active Directory schema.
• Domain Naming Master - The other forest-specific FSMO role is the Domain
Naming Master, and this role resides too in the forest root domain. The Domain
Naming Master role processes all changes to the namespace, for example adding
the child domain vancouver.mycompany.com to the forest root domain
mycompany.com requires that this role be available, so you can't add a new child
domain or new domain tree, check to make sure this role is running properly.

To summarize then, the Schema Master and Domain Naming Master roles are found only
in the forest root domain, while the remaining roles are found in each domain of your
forest. Now let's look at best practices for assigning these roles to different domain
controllers in your forest or domain.

FSMO Roles Best Practices


Proper placement of FSMO Roles boils down to three simple rules:

• Rule One: In your forest root domain, keep your Schema Master and Domain
Naming Master on the same domain controller to simplify administration of these
roles, and make sure this domain controller contains a copy of the Global Catalog.
This is not a hard-and-fast rule as you can move these roles to different domain
controllers if you prefer, but there's no real gain in doing so and it only
complicates FSMO role management to do so. If for reasons of security policy
however your company decides that the Schema Master role must be fully
segregated from all other roles, then go ahead and move the Domain Naming
Master to a different domain controller that hosts the Global Catalog. Note though
that if you've raised your forest functional level to Windows Server 2003, your
Domain Naming Master role can be on a domain controller that doesn't have the
Global Catalog, but in this case be sure at least to make sure this domain
controller is a direct replication partner with the Schema Master machine.
• Rule Two: In each domain, place the PDC Emulator and RID Master roles on the
same domain controller and make sure the hardware for this machine can handle
the load of these roles and any other duties it has to perform. This domain
controller doesn't have to have the Global Catalog on it, and in general it's best to
move these two roles to a machine that doesn't host the Global Catalog because
this will help balance the load (the Global Catalog is usually heavily used).
• Rule Three: In each domain, make sure that the Infrastructure Master role is not
held by a domain controller that also hosts the Global Catalog, but do make sure
that the Infrastructure Master is a direct replication partner of a domain controller
hosting the Global Catalog that resides in the same site as the Infrastructure
Master. Note however that this rule does have some exceptions, namely that the
Infrastructure Master role can be held by a domain controller hosting the Global
Catalog in two circumstances: when there is only one domain in your forest or
when every single domain controller in your forest also hosts the Global Catalog.

To summarize these three rules then and make them easy to remember:

• Forest root domain - Schema Master and Domain Naming Master on the same
machine, which should also host the Global Catalog.
• Every domain - PDC Emulator and RID Master on the same machine, which
should have beefy hardware to handle the load.
• Every domain - Never place the Infrastructure Master on a machine that hosts the
Global Catalog, unless your forest has only one domain or unless every domain
controller in your forest hosts the Global Catalog.

Definitions of Active Directory on the Web:

• a structure supported by Windows® 2000 that lets any object on a network be tracked
and located. Active Directory is the directory service used in Windows 2000 Server and
provides the foundation for Windows 2000 distributed networks.
harcon.ma.cx/Docs/General/AD_GLOSSARY.HTM
• The database that holds information about component locations, users, groups,
passwords, security, and other COM information. Some of this information is currently
stored in the Registry, but will eventually (with Windows 2000) be moved to the Active
Directory.
www.innovatia.com/software/papers/com.htm
• Provides the ability to build applications that give a single point of access to multiple
directories in a network environment, whether those directories are LDAP,NDS,or NTDS
based directories.
www.angelfire.com/ny3/diGi8tech/A.html
• Microsoft's directory database for Windows 2000 networks. Stores information about
resources on the network and provides a means of centrally organizing, managing, and
controlling access to the resources.
www.rlmueller.net/terms.htm
• The directory service environment for Microsoft Windows 2000 (and later) servers. Active
Directory includes enough information about users, groups, organizational units and other
kinds of management domains and administrative information about a network to
represent a complete digital model of the network.
www.netchico.com/support/glossary/a.html
• Active Directory (codename Cascade) is an implementation of LDAP directory services
by Microsoft for use in Windows environments. Active Directory allows administrators to
assign enterprise wide policies, deploy programs to many computers, and apply critical
updates to an entire organization. Active Directory stores information about its users and
can act in a similar manner to a phone book. ...
en.wikipedia.org/wiki/Active_Directory

Find definitions of Active Directory in: English

Active Directory Glossary


Posted: Tuesday, July 20, 1999

ABCDEFGHIJKLMNOPQRSTUVWXYZ

A Back to Top

access control -- the management of permissions for logging on to a computer


or network.

ACE -- see access control entry.

access control entry (ACE) -- each ACE contains a security identifier (SID),
which identifies the principal (user or group) to whom the ACE applies, and
information on what type of access the ACE grants or denies.

access control list (ACL) -- a set of data associated with a file, directory, or
other resource that defines the permissions that users and/or groups have for
accessing it. In the Active Directory service, an ACL is a list of access control
TM

entries (ACEs) stored with the object it protects. In the Windows NT® operating
system, an ACL is stored as a binary value, called a security descriptor.

ACL -- see access control list.

Active Directory -- a structure supported by Windows® 2000 that lets any object
on a network be tracked and located. Active Directory is the directory service
used in Windows 2000 Server and provides the foundation for Windows 2000
distributed networks.

Active Directory Service Interfaces (ADSI) -- a client-side product based on


the Component Object Model (COM). ADSI defines a directory service model
and a set of COM interfaces that enable Windows NT and Windows 95 client
applications to access several network directory services, including Active
Directory. ADSI allow applications to communicate with Active Directory.

ADSI provides the means for directory service clients to use one set of interfaces
to communicate with any namespace that provides an ADSI implementation.
ADSI clients gain a simpler access to namespace services by using ADSI in
place of the network-specific application programming interface (API) calls. ADSI
conforms to and supports standard COM features. ADSI also defines interfaces
and objects accessible from automation-compliant languages such as Java,
Visual Basic®, and Visual Basic Scripting Edition (VBScript), as well as from non-
automation-compliant languages such as C and C++, which enhance
performance. In addition, ADSI supplies its own OLE database provider, and so
fully supports any clients already using an OLE database, including those using
ActiveX® technologies.

ADSI -- see Active Directory Service Interfaces.

attribute -- a single property of an object. An object is described by the values of


its attributes. For example, a car can be described by its attributes: make,
model, color, and so on. The term attribute is often used interchangeably with
property, which means the same thing. Attributes are also data items used to
describe the objects that are represented by the classes defined in the schema.
Attributes are defined in the schema separately from the classes; this allows a
single attribute definition to be applied to many classes. See also object.

authentication -- verifying the identity of a user who is logging on to a computer


system or verifying the integrity of a transmitted message.

B Back to Top

backup domain controller (BDC) -- in a Windows NT Server 4.0 or earlier


domain, a computer running Windows NT Server that receives a copy of the
domain’s directory database, which contains all account and security policy
information for the domain. The copy is synchronized periodically and
automatically with the master copy on the primary domain controller
(PDC). Backup domain controllers also authenticate user logons and can be
promoted to function as PDCs as needed. Multiple backup domain controllers
can exist on a domain.

In a Windows 2000 domain, backup domain controllers are not required; all
domain controllers are peers, and all can perform maintenance on the directory.
Windows NT 4.0 and Windows NT 3.51 backup domain controllers can
participate in a Windows 2000 domain when it is running in mixed mode. See
also domain controller, primary domain controller.

C Back to Top
container -- a special type of Active Directory object. A container is like other
directory objects in that it has attributes and is part of the Active Directory
namespace. However, unlike other objects, it does not usually represent
something concrete. It is the container for a group of objects and other
containers. See also object.

D Back to Top

database layer -- an architectural layer of Active Directory that isolates the upper
layers of the directory service from the underlying database system by exposing
application programming interfaces (APIs) to the Directory System Agent (DSA)
layer so that no calls are made directly to the Extensible Storage Engine (ESE).

delegation -- allows a higher administrative authority to grant specific


administrative rights for containers and subtrees to individuals and groups. This
eliminates the need for domain administrators with sweeping authority over large
segments of the user population. Access control entries (ACEs) can grant
specific administrative rights on the objects in a container to a user or group.
Rights are granted for specific operations on specific object classes via ACEs in
the container’s Access Control List (ACL).

For example, to allow user “James Smith” to be an administrator of the


"Corporate Accounting" organizational unit, you would add ACEs to the ACL on
“Corporate Accounting” as follows:

“James Smith”; Grant; Create, Modify, Delete; Object-Class User

“James Smith”; Grant; Create, Modify, Delete; Object-Class Group

“James Smith”; Grant; Write; Object-Class User; Attribute Password

Now James Smith can create new users and groups in Corporate Accounting
and set the passwords on existing users, but he cannot create any other object
classes and he cannot affect users in any other containers (unless, of course, he
is granted that access by ACEs on the other containers).

directory -- a hierarchical structure that stores information about objects on the


network.

directory service -- such as Active Directory; provides the methods for storing
directory data and making this data available to network users and
administrators. For example, Active Directory stores information about user
accounts, such as names, passwords, phone numbers, and so on, and enables
other authorized users on the same network to access this information. See also
Active Directory, directory partition.

directory-enabled networking (DEN) -- the management of network elements


such as routers, applications, and users from a central repository of information
about users, applications, and network resources.

directory partition -- a contiguous subtree of the directory that forms a unit of


replication. A given replica is always a replica of some directory partition. Active
Directory is made up of one or more directory partitions.

In Active Directory a single server always holds at least three directory partitions:

The schema
The configuration (replication topology and related metadata)
One or more per-domain directory partitions (subtrees containing the actual
objects in the directory)

The schema and configuration are replicated to every domain controller in a


given forest. The per-domain directory partition is replicated only to domain
controllers for that domain.

distinguished name -- identifies the domain that holds the object as well as the
complete path through the container hierarchy by which the object is reached.
Every object in the Active Directory has a unique distinguished name. A typical
distinguished name might be:
CN=JamesSmith,CN=Users,DC=Microsoft,DC=Com. This distinguished name
identifies the “James Smith” user object in the Microsoft.com domain.

DNS -- see Domain Name System.

domain -- a single security boundary of a Windows NT-based computer network.


Active Directory is made up of one or more domains. On a standalone
workstation, the domain is the computer itself. A domain can span more than one
physical location. Every domain has its own security policies and security
relationships with other domains. When multiple domains are connected by trust
relationships and share a common schema, configuration, and global catalog,
they constitute a domain tree. Multiple domain trees can be connected together
to create a forest. See also domain controller, domain local group.

domain controller -- a Windows NT-based server holding an Active Directory


partition. See domain.

domain local group -- can contain users and global groups from any domain in
the forest, universal groups, and other domain local groups in its own domain. A
domain local group can only be used on ACLs in its own domain. See also
domain, forest.

Domain Name System (DNS) -- hierarchical distributed database used for


name/address translation and client-server rendezvous. Domain Name System is
the namespace used on the Internet to translate computer and service names
into TCP/IP addresses. Active Directory uses DNS as its location service, and so
clients find domain controllers via DNS queries.

E Back to Top

Extensible Storage Engine (ESE) -- the Active Directory database engine. ESE
(Esent.dll) is an improved version of the Jet database that is used in Microsoft
Exchange Server versions 4.x and 5.5. It implements a transacted database
system, which means that it uses log files to ensure that committed transactions
are safe.

F Back to Top

forest -- a group of one or more Active Directory trees that trust each other. All
trees in a forest share a common schema, configuration, and global catalog.
When a forest contains multiple trees, the trees do not form a contiguous
namespace. All trees in a given forest trust each other through transitive
bidirectional trust relationships. Unlike a tree, a forest does not need a distinct
name. A forest exists as a set of cross-referenced objects and trust relationships
known to the member trees. Trees in a forest form a hierarchy for the purposes
of trust. See also tree, global catalog.

G Back to Top

global catalog (GC) -- the global catalog contains a partial replica of every
Windows 2000 domain in the directory. The GC lets users and applications find
objects in an Active Directory domain tree given one or more attributes of the
target object. It also contains the schema and configuration of directory partitions.
This means the global catalog holds a replica of every object in the Active
Directory, but with only a small number of their attributes. The attributes in
the global catalog are those most frequently used in search operations (such as
a user’s first and last names, logon names, and so on), and those required to
locate a full replica of the object. The GC allows users to find objects of interest
quickly without knowing what domain holds them and without requiring a
contiguous extended namespace in the enterprise. The global catalog is built
automatically by the Active Directory replication system.

GC -- see global catalog.

global catalog server -- a Windows 2000 domain controller that holds a copy of
the global catalog for the forest. See also global catalog.

global group -- can appear on ACLs anywhere in the forest and may contain
users and other global groups from its own domain.

group -- see global group, domain local group, universal group, and Group
Policy.

Group Policy -- refers to applying policy to groups of computers and/or users


contained within Active Directory containers. The type of policy includes not only
registry-based policy found in Windows NT Server 4.0, but is enabled by
Directory Services to store many types of policy data, for example: file
deployment, application deployment, logon/logoff scripts and startup/shutdown
scripts, domain security, Internet Protocol security (IPSec), and so on. The
collections of policies are referred to as Group Policy objects (GPOs).

Group Policy object (GPO) -- a virtual collection of policies. It is given a unique


name, such as a globally unique identifier (GUID). GPOs store group policy
settings in two locations: a Group Policy container (GPC) (preferred) and a
Group Policy template (GPT). The GPC is an Active Directory object that stores
version information, status information, and other policy information (for example,
application objects). The GPT is used for file-based data and stores software
policy, script, and deployment information. The GPT is located on the system
volume folder of the domain controller.

A GPO can be associated with one or more Active Directory containers, such as
a site, domain, or organizational unit. Multiple containers can be associated with
the same GPO, and a single container can have more than one associated GPO.

In addition, by default every computer receives a local Group Policy object


(LGPO) that contains only security-specific policies. It is also possible for the
administrator to set and apply different local group policies on individual
computers. This is useful for computers that are not members of a domain, or
computers that the administrator wishes to exempt from Group Policy inherited
from the domain. See Group Policy.

GPO -- see Group Policy object.


H Back to Top

hierarchical namespace -- a namespace, such as the DNS namespace and the


Active Directory namespace, that is hierarchically structured and provides rules
that allow the namespace to be partitioned. See also namespace.

K Back to Top

Kerberos -- a security system that authenticates users. Kerberos doesn’t provide


authorization to services or databases; it establishes identity at logon, which is
used throughout the session. The Kerberos protocol is the primary authentication
mechanism in the Windows 2000 operating system.

Knowledge Consistency Checker (KCC) -- a built-in service that runs on all


domain controllers and automatically establishes connections between individual
machines in the same site. These are known as Windows 2000 Directory Service
connection objects. An administrator may establish additional connection objects
or remove connection objects. At any point, however, where replication within a
site becomes impossible or has a single point of failure, the KCC will step in and
establish as many new connection objects as necessary to resume Active
Directory replication.

L Back to Top

Lightweight Directory Access Protocol (LDAP) -- a protocol used to access a


directory service. LDAP support is currently being implemented in Web browsers
and e-mail programs, which can query an LDAP-compliant directory. LDAP is a
simplified version of the Directory Access Protocol (DAP), which is used to gain
access to X.500 directories. It is easier to code the query in LDAP than in DAP,
but LDAP is less comprehensive. For example, DAP can initiate searches on
other servers if an address is not found, while LDAP cannot in its initial
specification. Lightweight Access Directory Protocol is the primary access
protocol for Active Directory.

M Back to Top
mixed mode -- allows domain controllers running both Windows 2000 and earlier
versions of Windows NT to co-exist in the domain. In mixed mode, the domain
features from previous versions of Windows NT Server are still enabled, while
some Windows 2000 features are disabled. Windows 2000 Server domains are
installed in mixed mode by default. In mixed mode the domain may have
Windows NT 4.0 backup domain controllers present. Nested groups are not
supported in mixed mode. Compare native mode.

multi-master replication -- a feature of Active Directory that provides and


maintains copies of the directory across multiple servers in a domain. Since all
replicas of a given directory partition are writable, updates can be applied to any
replica of a given partition. The Active Directory replication system propagates
the changes from a given replica to all other replicas. Replication is automatic
and transparent.

Active Directory multi-master replication propagates every object (such as users,


groups, computers, domains, organization units, security policies, and so on)
created on any domain controller to each of the other participating domain
controllers. If one domain controller in a domain slows or fails, other domain
controllers in the same domain can provide the necessary directory access
because they contain the same directory data. See also replication.

N Back to Top

native mode -- when all the domain controllers in a given domain are running
Windows 2000 Server. This mode allows organizations to take advantage of new
Active Directory features such as Universal groups, nested group membership,
and inter-domain group membership. Compare mixed mode.

namespace -- a name or group of names that are defined according to some


naming convention; any bounded area in which a given name can be resolved.
Active Directory is primarily a namespace, as is any directory service. A
telephone directory is also a namespace. The Internet uses a hierarchical
namespace that partitions names into categories known as top-level domains
such as .com, .edu, and .gov, which are at the top of the hierarchy.

name resolution -- the process of translating a name into some object or


information that the name represents. A telephone book forms a namespace in
which the names of telephone subscribers can be resolved into telephone
numbers. The Windows NTFS file system forms a namespace in which the name
of a file can be resolved into the file itself. Similarly, Active Directory forms a
namespace in which the name of an object in the directory can be resolved into
the object itself.
O Back to Top

object -- a distinct, named set of attributes that represents something concrete,


such as a user, a printer, or an application. The attributes hold data describing
the thing that is identified by the directory object. Attributes of a user might
include the user’s given name, surname, and e-mail address.

object identifier -- a number identifying an object class or attribute in a directory


service. Object identifiers are issued by issuing authorities and form a hierarchy.
An object identifier is represented as a dotted decimal string (for example,
“1.2.3.4”). Enterprises (and individuals) can obtain a root object identifier from an
issuing authority and use it to allocate additional object identifiers. For example,
Microsoft has been issued the root object identifier of 1.2.840.113556. Microsoft
manages further branches from this root internally. One of these branches is
used to allocate an object identifier for Active Directory classes, another for
Active Directory attributes, and so on.

Most countries in the world have an identified national registration authority


(NRA) responsible for issuing object identifiers to enterprises. In the United
States, the NRA is the American National Standards Institute (ANSI). An
enterprise can register a name for the object identifier as well. There is a fee
associated with both root object identifiers and registered names. For details,
contact the NRA for your country. The International Standards Organization
recognizes NRAs and maintains a list of contacts on the ISO Web site. See also
object, attribute.

organizational unit (OU) -- a container object that is an Active Directory


administrative partition. OUs can contain users, groups, resources, and other
OUs. Organizational Units enable the delegation of administration to distinct
subtrees of the directory.

OU -- see organizational unit.

P Back to Top

parent-child trust relationship -- the two-way, transitive trust relationship that is


established when you add a domain to an Active Directory tree. The Active
Directory installation process automatically creates a trust relationship between
the domain you are creating (the new child domain) and the parent domain.
partition -- a complete unit of replication within the store. See also directory
partition.

PDC -- see primary domain controller.

PKI -- see public key infrastructure.

policy -- the set of rules that govern the interaction between a subject and an
object. For example, when an Internet Protocol (IP) security agent (the subject)
starts on a given computer (the object) a policy determines how that computer
will participate in secure IP connections.

policy engine -- software that executes at decision points to perform policy


selection, to evaluate conditions, and determine what actions must be performed.
The concept of the policy engine is quite diffuse; policy engine functionality will
often be spread through many parts of the distributed system. For example,
Windows 2000 provides a policy infrastructure that includes a policy store (Group
Policy object), a policy engine that runs as part of user logon (WinLogon), and an
API for services to invoke the policy selection process on demand (GetGPOList).
Some applications and services will use WinLogon integration to apply their
policies to users; others will use GetGPOList to implement their own policy
decision and enforcement points.

primary domain controller (PDC) -- in a Windows NT Server 4.0 or earlier


domain, the PDC is the computer running Windows NT Server that authenticates
domain logons and maintains the directory database for a domain. The PDC
tracks changes made to accounts of all computers on a domain. It is the only
computer to receive these changes directly. A domain has only one primary
domain controller. In Windows 2000, one of the domain controllers in each
domain is identified as the PDC for compatibility with downlevel clients and
servers. See domain controller, backup domain controller.

profile -- a collection of information selected and applied to the interaction


between a subject and an object by an action that is the outcome of evaluation of
policy conditions. The content of a profile is specific to the subjects and objects in
question. Profiles can further simplify administration by reducing the total number
of policies. For example, a given server application may have a large number of
configuration parameters. A policy for that application can reference the profile;
this is simpler than using multiple policies to accomplish the same thing. See
policy, object.

public key infrastructure (PKI) -- a policy for establishing a secure method for
exchanging information within an organization, an industry, or a nation. PKI is
also an integrated set of services and administrative tools for creating, deploying,
and managing public-key-based applications. It includes the cryptographic
methods, the use of digital certificates and certificate authorities (CAs), and the
system for managing the process.

R Back to Top

relative distinguished name (RDN) -- the part of the name of an object that is
an attribute of the object itself. The attribute that provides the RDN for an object
is referred to as the naming attribute. See also distinguished name.

replication -- in database management, the function that keeps distributed


databases synchronized by routinely copying the entire database or subsets of
the database to other servers in the network. There are several methods of
replication, including primary site replication, shared or transferred ownership
replication, symmetric replication, (also known as update-anywhere or peer-to-
peer replication), and failover replication. See the Tech Encyclopedia for
complete definitions of the different methods of replication.

Active Directory provides multi-master replication, which is a form of symmetric


replication (see multi-master replication).

S Back to Top

schema -- the definition of an entire database; the universe of objects that can
be stored in the directory is defined in the schema. For each object class, the
schema defines what attributes an instance of the class must have, what
additional attributes it may have, and what object class can be a parent of the
current object base. See also object, attribute.

schema master -- the domain controller assigned to control all updates to the
schema within a forest. At any time, there can be only one schema master in the
forest. See also domain controller, forest, schema.

SID -- security identifier. See also access control entry.

single-master operations -- Active Directory operations that are single-master,


that is, not permitted to occur at different places in the network at the same time.
Examples of these operations include:

Relative identifier (RID) allocation


Schema modification
Primary domain controller (PDC) election
Certain infrastructure changes

site -- a location in a network holding Active Directory servers. A site is defined


as one or more well connected TCP/IP subnets. Well-connected means that
network connectivity is highly reliable and fast (LAN speeds, 10 MM bits-per-
second or greater).

Sites play a major role in the Active Directory replication service, which
differentiates between replication using a local network connection (intra-site
replication) and replication over a slower wide area network (WAN) link (inter-site
replication). Administrators use the Active Directory Sites and Services Manager
snap-in to administer replication topology for both intra- and inter-site replication.

store -- the physical storage for each Active Directory replica. When an object is
stored in Active Directory, the system will select a copy of the store and write the
object there. The replication system will replicate the object on all other replicas.
The store is implemented using the Extensible Storage Engine (ESE). See also
Extensible Storage Engine.

T Back to Top

transitive trust -- the trust relationship that inherently exists between Windows
2000 domains in a domain tree or forest, or between trees in a forest, or that can
exist between forests. When a domain joins an existing forest or domain tree, a
transitive trust is automatically established. Transitive trusts are always two-way
relationships. This series of trusts, between parent and child domains in a
domain tree and between root domains of domain trees in a forest, allows all
domains in a forest to trust each other for the purposes of authentication. For
example, if domain A trusts domain B and domain B trusts domain C, then
domain A trusts domain C. See also tree, forest.

tree -- a set of Windows NT domains connected together through transitive,


bidirectional trust, sharing a common schema, configuration, and global catalog.
The domains must form a contiguous hierarchical namespace such that if a.com
is the root of the tree, b.a.com is a child of a.com, c.b.a.com is a child of b.a.com,
and so on. See also schema, forest.

U Back to Top
universal group -- the simplest form of group. Universal groups can appear in
ACLs anywhere in the forest, and can contain other universal groups, global
groups, and users from anywhere in the forest. Small installations can use
universal groups exclusively and not concern themselves with global and local
groups.

W Back to Top

well-connected -- sufficient connectivity to make your network and Active


Directory useful to clients on your network. The precise meaning of the term is
determined by your particular needs.

X Back to Top

X.500 -- a set of standards defining a distributed directory service, developed by


the International Standards Organization (ISO).

Last Updated: Wednesday, December 15, 1999


© 2000 Microsoft Corporation. All rights reserved. Terms of use.

The COM / DCOM Glossary


Dan Simon
Innovatia Software
dansimon@innovatia.com
 1999–2001 Innovatia Software. All Rights Reserved.
This paper provides a glossary and discussion of acronyms and terms
related to COM, the Component Object Model. DCOM stands for
Distributed COM. I was surprised at how many acronyms I found when I
started studying COM and DCOM. My background is primarily from the
Visual Basic end of things, so that slant will be reflected in the
definitions found here. Some of the discussion here is specific to VB6,
but the vast majority of this paper applies to VB5 as well. If you have
any additions, corrections, or questions, please feel free to email me.

Abstract Base Class - A class that does not include an implementation


and therefore cannot be directly used. It is used to derive other classes;
the derived classes implement the methods.

ACID - The ACID rules are rules that are met by a well-designed OLTP
system. The ACID acronym stands for Atomic, Consistent, Isolated, and
Durable.

Activation - The act of a client loading and binding to a server object.

Active Directory - The database that holds information about component


locations, users, groups, passwords, security, and other COM
information. Some of this information is currently stored in the Registry,
but will eventually (with Windows 2000) be moved to the Active
Directory.

ActiveX - An ActiveX component is a COM component that is intended


to be portable across more than one platform. Among other things,
ActiveX controls can be downloaded from a web server and operate on
the client computer outside of the web browser. This is in contrast to a
Java applet, which can only operate within the confines of a web
browser. ActiveX controls were originally called OLE controls before
they were modified to work over the internet.

ADO - ActiveX Data Objects. These are COM objects that allow
database access.

ADSI - Active Directory Service Interface, formerly known as ODSI. An


interface by which developers can access Directory services.

Apartment - A COM service that provides an execution context for COM


objects in such a way as to eliminate the possibility of conflict between
threads. There are two kinds of apartments: MTAs, which contain more
than one thread, and STAs, which contain only one thread. A process
never has more than one MTA, but can have many STAs.

AppID - A string that represents a COM application (which is a collection


of CLSIDs).

ASP - Active Server Pages. This is an HTML web page that is custom-
built in real time. ASP pages can be run as MTS objects. You can use
VBScript inside ASP pages and IIS will parse the VBScript. An ASP
page can load COM-based DLLs. Understanding ASP is the key to
designing web-based COM applications. You can use IISAD to design
ASP pages.

Atomic - This is the A in the ACID acronym. An atomic transaction is


one that is all-or-nothing. Either everything is successfully updated or
nothing is updated.

Automation - The binding of a client to a server object at run-time.


Automation allows a client to bind to a server object without having a
type library available at compile time. Automation uses the IDispatch
interface.

Automation Controller - A client that uses IDispatch to communicate


with an automation server.

Automation Server - A server component that uses the IDispatch


interface.

Binary Compatible - See Version Identical.

BSTR - Basic String. This is a data type that is stored as a string length
value and a null-terminated character array.

ByRef - This is a way of passing the address of an argument to a


procedure. This allows the the value of the argument to be changed in
the calling routine. ByRef is the default method of passing arguments in
VB. Objects that are created in VB can be passed by reference only.
Even if you use the ByVal keyword in front of an object in a procedure
declaration, the object is still passed by reference. Declaring a primitive
data type as a ByRef argument in a server object results in the
argument making a complete round trip when a client invokes a method
on a remote object.

ByVal - This is a way of passing the actual value of an argument to a


procedure. This allows the procedure to use a temporary copy of the
argument variable, so the value of the argument is never changed in the
calling routine. Declaring a primitive data type as a ByVal argument in a
server object results in the argument going only from the client to the
server when the client invokes a method on a remote object. This is
much more efficient than using ByRef, which results in a round trip of
the argument.

Callback - The execution of a client method by a server object. This is a


better alternative than using events because you can control which
client gets the callback in case of multiple clients. Also, callbacks are
faster because they use vTable binding. In addition, they're more
flexible than events because you can pass optional parameters and
arrays, which you cannot do with events.

Class Factory - Also referred to as a COM class object. It is an object


that lives in a server that is responsible for creating the objects
registered by that server. The class factory is activated by the SCM.

Class Table - A machine-wide table that holds the class factory object
references for every registered CLSID.

Client - A COM program running on a computer that creates objects in


another process called a server.

CLSID - Class ID, a GUID for a COM coclass.

CoClass - A COM implementation of a server class that is used by


clients to create objects.

COM - Component Object Model; a specification for writing reusable


software components; an infrastructure that allows objects to
communicate between processes and computers. All VB objects,
including forms and controls, are COM objects. One of the main
strengths of COM is that it integrates so many distributed application
services in one package.

COM class object - See Class Factory.


COM+ - An extension of COM. (I suppose the next version will be called
COM++.) COM+ will introduce an improved version of the SPM (which
will be called the In-Memory Database). It will also provide an
asynchronous eventing service for raising events in multiple clients. And
it will use the MSMQ services more transparently. Plus it will automate
load balancing when multiple servers are involved in your application.

Compatibility - This defines the relationship between a new version of a


COM object and previous versions. You can specify one of three levels
of compatibility in the VB Project Properties: version identical, version
compatible, or version incompatible.

Consistent - This is the C in the ACID acronym. A consistent transaction


is one that leaves data in a consistent state. Data should not contradict
each other.

CORBA - Common Object Request Broker Architecture. This is a


distributed object specification that competes with COM.

DACL - Discretionary Access Control List. This is a list that controls who
can do what with your server objects. An administrator can use
DCOMCNFG to configure the DACL.

DBMS - Database Management System, such as Oracle or Microsoft


SQL Server.

DCE - Distributed Computing Environment. This is code that provides


an RPC standard. It can also be used to develop distributed
applications.

DCOM - Distributed COM; COM over a wire; COM between more than
one computer; COM with RPC.

DCOMCNFG - A utility that allows you to configure security for COM


applications. The utility ships with COM and is run by selecting Start,
then selecting Run, then typing dcomcnfg.exe. The SCM uses the
security settings to decide who can do what with COM objects. Note
that DCOMCNFG allows only application-wide security settings. It does
not allow individual security settings for individual objects within a single
application.
Deadlock - When two or more transactions conflict in such a way that
each is waiting for the other before they proceed. For instance,
Transaction A might have a lock on Record 1 while trying to write to
Record 2, while Transaction B has a lock on Record 2 while trying to
write to Record 1. The two transactions will wait for each other forever
unless the deadlock is somehow resolved.

DLL - Dynamic Link Library. COM server DLLs run in the same process
as their clients, unless the DLL is running in a surrogate process.

DTC - Distributed Transaction Coordinator. This is a product that


coordinates distributed transactions. It originally shipped with SQL
Server 6.5 but now runs on Windows NT as a system service. With VB
you can create objects inside an MTS transaction by setting the
MTSTransactionMode in the class properties dialog box. This results in
the automatic use of the DTC to control transactions associated with
that class.

Dual Interface - An interface that offers binding through IDispatch as


well a through a vTable. VB automatically builds objects using dual
interfaces. That means that VB-built objects can be accessed by both
vTable clients and automation clients.

Durable - This is the D in the ACID acronym. Changes due to a


transaction should be stored in stable storage and should be
recoverable in case of system failure.

Early Binding - VB provides this type of binding to an object that has


only an IDispatch interface. The binding is done at compile time, but it's
slower than vTable binding because the client uses Invoke to execute
the object's methods.

Encapsulation - A fundmental principle of OOP; the ability of an object


to hide its data and its methods from the rest of the world.

Event - A procedure in an object that can be raised (called) outside of


the object. Servers and clients can raise events in each other. As an
alternative to raising events you can use callbacks. Events are
implemented in VB using the IDispatch interface which means that
raising an event takes longer than vTable binding. Events use early
binding.
EXE - Executable file. COM server EXEs run in different processes than
their clients, either on the same computer or a different computer.

Friend - A VB method that is available from anywhere within a project,


but unavailable everywhere outside the project.

GUID - Globally Unique Identifier, a 128-bit integer that uniquely


identifies COM coclasses and interfaces. These are compiled into a
COM server's type library.

IDispatch - An interface that extends IUnknown to allow run-time binding


to server objects. Server objects that use this interface are called
automation servers. Clients that use this interface are called automation
controllers.

IDL - Interface Definition Language. A C-like language used to define


interfaces and coclasses for COM. OleView is a COM utility that
reverse-engineers a type library into a readable form of IDL. IDL is used
to provide language-independence for COM interfaces so that identical
interfaces defined in VB, C++, and Java look the same in IDL even
though they look different in the language used for implementation.

IID - Interface ID, a GUID for a COM interface.

IIS - Internet Information Server. This is a Microsoft application that


allows the creation of web-based applications that interact with COM
server objects. Web pages that interact with COM server objects are
called ASP pages.

IISAD - Internet Information Server Application Designer. This is an


extension of the VB development environment that helps in the creation
of web applications and ASP pages. Use IISAD for large-scale web
applications and skip it for smaller applications.

Immutability - This is the idea that a released interface should never be


changed. If you release a server object and later want to extend its
capabilities, then you should add a new interface instead of changing
existing interfaces. In practice you can violate the principle of
immutability by changing existing interfaces as long as your change
doesn't modify any old methods.
Inheritance - A fundmental principle of OOP. The ability of a class to
derive data and behavior from another class. This promotes reuse and
maintainability.

Interface - A set of signatures in a COM server that describe how to


access the methods of a class. It is often stated that the interface
constitutes a contract between the object and its clients. A Visual Basic
interface is an abstract class which provides a layer of indirection
between a server and its clients and thus decouples a class from the
clients that use it. This improves the maintainability of COM servers.

Invoke - An IDispatch method that allows a client to access a COM


object's methods.

Isolated - This is the I in the ACID acronym. An isolated transaction is


one that cannot be viewed by another transaction before it is committed.
A transaction should not be able to view the transitional state of another
transaction.

IUnknown - The COM interface class from which all other interface
classes are derived. This interface allows all COM objects to manage
their own lifetime, i.e., to release themselves from memory when they
are no longer connected to any clients.

Late Binding - VB performs late binding, also referred to as automation,


whenever the Object data type is used. This provides no type-checking
at compile time, and results in worse performance than either early
binding or vTable binding.

LDAP - Lightweight Directory Access Protocol. An interface by which


users can access Directory services.

Location Transparency - This means that client and server COM


software can be written without any consideration for the relative
location of the software. The COM services find the objects and clients
whether they're in the same process or another computer.

Marshaling - The act of formatting parameters for transmission through


a proxy / stub pair. A proxy marshals data to a remote object, and a stub
marshals data to a remote client.
MIDL - Microsoft IDL. The MIDL compiler generates a type library, but
Visual Basic creates type libraries without using the MIDL compiler.

MSMQ - Microsoft Message Queue, originally code-named Falcon. This


is a COM service that provides for the passing of messages between
applications. You can access MSMQ from VB. For instance, an MSMQ
can be created in VB with the statement Dim q1 as New
MSMQQUEUEInfo. However, MSMQ must be specifically installed and
configured on your computer before you can use it. MSMQ is
administered with an Explorer-type of interface.

MTA - Multithreaded Apartment; an apartment that contains more than


one thread. A component that's written to run in an MTA is called a free-
threaded component. VB components always run in STAs.

MTS - Microsoft Transaction Server, originally code-named VIPER. A


run-time environment for COM objects. MTS provides a surrogate
process for COM DLLs. An ActiveX DLL designed for MTS needs to
have the Microsoft Transaction Server Type Library in the Project
References dialog box. You can turn COM components into MTS
components by running the MTS Explorer. You can use MTS to move
components between various server computers. MTS also provides the
DTC to help coordinate distributed transactions. MTS also provides
extended security; security for MTS objects is more flexible than
security for non-MTS COM objects. MTS is administered with an
Explorer-type of interface.

MTS Resource Dispenser - This is a general class of applications that


work with MTS to share resources among MTS objects. Two examples
are the ODBC Driver Manager and the SPM.

No Compatibility - See Version Incompatible.

N-Tier Computing - A computing environment that has at least three


tiers.

Object Oriented Programming - A style of programming that supports


encapsulation, inheritance, and polymorphism. Some languages are
inherently object oriented (e.g., Smalltalk and Java) while other
languages support object oriented extensions (e.g., C++ and Visual
Basic). It is often stated that Visual Basic is not truly an object oriented
language because it doesn't support inheritance. If you make that
statement then you have to say that COM is not object oriented either,
because COM does not support inheritance either. COM and Visual
Basic do not support implementation inheritance, but they both support
interface inheritance.

OCX Controls - See ActiveX Controls.

ODSI - Open Directory Service Interface. See ADSI.

OLE - Object Linking and Embedding. A standard for linking and


embedding documents in other documents. OLE is the evolutionary
ancestor of COM. COM was the foundation of OLE2 which was
released by Microsoft in 1993.

OLE DB - Object Linking and Embedding for Databases. OLE DB is a


COM service that enables a user to access databases. A developer
accesses OLE DB services through ADO.

OleView - A COM utility that reverse-engineers a type library into a


readable form of IDL .

OLTP - Online Transaction Processing. An OLTP system is an


application that modifies data and has a large number of concurrent
users. Many OLTP systems are written against a DBMS.

OOP - See Object Oriented Programming.

Open Group - See OSF.

OSF - The Open Software Foundation, now called the Open Group. The
group that defined the RPC specification.

Polymorphism - A fundmental principle of OOP. The ability of objects to


have methods with the same names. This allows objects from similar
classes to carry out operations in a manner customized to the object.

Process - An instance of an application that runs in its own address


space.

ProgID - Program Identifier. This is a textual name that represents a


server object. It consists of the project name and the class name, like
MyServer.MyClass.
Project Compatible - See Version Compatible.

Proxy - An object that runs in a client's process that acts as a channel


for all communication between the client and a remote object. When a
client attempts to accesses a server object the proxy intercepts the call
and issues an RPC to the real instance of the server object.

Registration - The process of adding GUIDs, ProgIDs, and server


locations to the registry. Visual Basic automatically registers servers
when you build them. Out-of-process servers register themselves each
time they run. DLL servers can be registered using the REGSVR32.EXE
utility.

RM - Resource Manager. An RM is an application that acts as a data


source.

Round Trip - When a client passes control to a server object and then
the server passes control back to the client. Round trips are time-
consuming when the client and the server are located in different
processes, and especially when they're located on different machines.
You should design remote interfaces such that round trips are
minimized.

RPC - Remote Procedure Call. A coding specification for networking


software. DCOM uses Microsoft's implementation of RPC for
interprocess communication. RPC is the foundation of DCOM.

Run Time Binding - See Late Binding.

SCM - Service Control Manager, pronounced "scum." This is the COM


component that is responsible for activating a server object from a client
when the client tries to access the object. The SCM does its job by
looking for the class in the class table.

Server - A running COM program that is available for clients to connect


to.

SPM - Shared Property Manager, pronounced "spam." This is an MTS


Resource Dispenser that ships with MTS and that assists in the sharing
of global memory among objects running inside an MTS application.
STA - Single-Threaded Apartment; an apartment that contains a single
thread. A component that's written to run in an STA is called an
apartment-threaded component. VB components always run in STAs.

Stateless - This is a model of keeping objects alive only as long as


they're doing something useful. For instance, MTS transaction objects
are alive only for the duration of the transaction and then they're
destroyed. This is done to ensure data consistency. However, it results
in greater network traffic and more overhead on the programmer's part.

Stub - An object that runs in a server's process that acts as a channel


for all communication between the server and a remote client.

Surrogate Process - A container application that acts as a host for COM


server DLLs. MTS provides a surrogate process called MTX.EXE that
allows out-of-process clients to access COM server DLLs.

Thread - A sequence of executable statements that runs separately and


independently of other other threads. A thread can be thought of as a
path of execution in a process. A thread is owned by exactly one
process, and a process owns one or more threads. If a process owns
more than one thread, then the process is multithreaded.

Threading Model - The VB threading model is found in the project


properties dialog box. If you build an ActiveX EXE you can choose one
of three options. Thread Pool = 1 means than all objects run in the main
STA. Thread Per Object means that each externally-created object runs
in its own STA. Thread Pool > 1 means that externally-created objects
run in one of the specified maximum number of STAs.

Three-Tier Computing - A computing environment in which applications


running on user's computers connect to a middle-tier of objects running
on a server, and the middle-tier of objects connect to a DBMS.

TM - Transaction Manager. A TM is a high-level architecture that is


used to coordinate transactions that are distributed across multiple
processes. MTS's TM is called the Distributed Transaction Coordinator.
In a distributed transaction each computer typically runs its own
instance of the TM.

Two-Tier Computing - A computing environment in which applications


running on users' computers connect to a DBMS on a network server.
Type Library - A file that describes interfaces, coclasses, and other
resources in a COM server. A type library file created by Visual Basic
typically has a TLB extension. The TLB file is required by a client to
connect to a server. A type library can be thought of as a binary version
of an IDL file. VB creates a type library when you create a VB server
object, thus eliminating the need for an IDL file.

Universal Marshaller - This is a COM service that builds proxy / stub


code at run-time for distributed applications.

UUID - Universally Unique Identifier, the same thing as a GUID. The


only reason there are two names for the same thing is to confuse you.

VB - Visual Basic. It's a programming language. Other than that I don't


know too much about it.

VBX - Visual Basic Extension controls. These are 16-bit reusable Visual
Basic controls that have been superceded by OCXs.

Version Compatible - Also called Project Compatible. This is a method


of changing a COM component in such a way that existing methods are
unchanged but new methods are added. This means that the vTable for
existing interfaces is extended with new entries at the end. VB
generates a new set of CLSIDs and IIDs, but the GUID for the
component's type library is unchanged.

Version Identical - Also called Binary Compatible. This is a method of


changing a COM component that satisfies the principle of immutability.
Existing interfaces are unchanged. You change the component by
adding new interfaces. This means that the vTable for existing
interfaces is unchanged.

Version Incompatible - Also called No Compatibility. This is a way of


changing a COM component in such a way that existing methods are
changed. This means that VB generates a new GUID for the
component's type library, and a new set of CLSIDs and IIDs. Old clients
will no longer be able to use the component and client application
developers will need to re-reference the type library in the References
Dialog Box.

vTable - Virtual Table; an array of function pointers to a COM object.


The function pointers cannot be used across process boundaries. When
a client wants to access an object in another process COM uses proxies
and stubs.

vTable Binding - Binding to an object at compile-time using the vTable


of an object's interface. This type of binding is much faster than either
late binding or early binding.

References
• Ted Pattison, "Programming Distributed Applications with COM
and Microsoft Visual Basic 6.0," Microsoft Press, 1998.
• Guy Eddon and Henry Eddon, "Programming Components with
Microsoft Visual Basic 6.0," Microsoft Press, 1998.
• Roman Sorensen, "Inside Microsoft Windows NT Internet
Development," Microsoft Press, 1998.
• Rosemary Rock-Evans, "DCOM Explained," Digital Press, 1998.

On-Line Resources
• Microsoft's COM Page
• The Software Engineering Institute's COM Page
• BYTE Magazine's September 1997 ActiveX Article

Home Credentials Publications White Papers

 1999–2001 Innovatia. All Rights Reserved.


Email Address: dansimon@innovatia.com
Phone Number: (330)665-9629

Last Revised: March 13, 2001

Active Directory: The directory service environment for Microsoft Windows 2000 (and
later) servers. Active Directory includes enough information about users, groups,
organizational units and other kinds of management domains and administrative
information about a network to represent a complete digital model of the network.

Address Resolution Protocol (ARP): A protocol in the TCP/IP suite used to associate
logical addresses to physical addresses.
Affiliate: Web site affiliates are what drive Internet

Daemon: A UNIX term for a component of any server program that "listens" to incoming
requests for a specific service across the network; for example, a Telnet server might
include a Telnet daemon, a program that always runs, ready to server Telnet requests; the
same component of an FTP server is called an FTP daemon, and so forth.

Daily backup: Copies all files modified on the day of the backup.

DHCP: "Dynamic Host Configuration Protocol" A network server uses this protocol to
dynamically assign IP addresses and subnet masks to networked computers. The DHCP
server waits for a computer to connect to it then assigns it an IP address from a master list
stored on the server. DHCP helps in setting up large networks since IP addresses don't
have to be manually assigned to each computer on the network. Because of the slick
automation involved with DHCP it is one of the most commonly used networking
protocols.

DNS: "Domain Name System" The primary purpose of DNS is to keep Web surfers sane.
Without DNS, we would have to remember the IP address of every site we wanted to
visit, instead of just the domain name. Can you imagine having to remember
"17.254.3.183" instead of just "apple.com"? While I have some Computer Science friends
who might prefer this, most people have an easier time remembering simple names. The
reason the Domain Name System is used is because Web sites are acutally located by
their IP addresses. For example, when you type in "http://www.adobe.com," the computer
doesn't immediately know that it should look for Adobe's web site. Instead, it sends a
request to the nearest DNS server, which finds the correct IP address for "adobe.com."
Your computer then attempts to connect to the server with that IP number.

Domain: A uniquely named collection of user accounts and resources that share a
common security database.

Domain controller: On networks based on Windows NT Server or Windows 2000


Server a directory server that also provides access controls over users, accounts, groups,
computers and other network resources.

Domain model: A network based on Windows NT Server or Windows 2000 Server


whose security and access controls reside in a domain controller.

Domain Name: This is the name that identifies a web site. For example, "microsoft.com"
is the domain name of Microsoft's web site. A single web server can serve web sites for
multiple domain names, but a single domain name can point to only one machine. For
example, Apple Computer has web sites at www.apple.com, www.info.apple.com, and
store.apple.com. Each of these sites could be served on different machines. Then there
are domain names that have been registered, but are not connected to a web server. The
most common reason for this is to have e-mail addresses at a certain domain name
without having to maintain a web site. In these cases, the domain name must be
connected to a machine that is running a mail server.

LDAP: "Lightweight Directory Access Protocol" If you want to make directory


information available over the Internet this is the way to do it. LDAP is a streamlined
version of an earlier directory standard called X.500. What makes LDAP so useful is that
it works great over TCP/IP networks (unlike X.500) so information can be accessed
through LDAP by anyone with an Internet connection. It is also an open protocol which
means directories can be stored on any type of machine (i.e. Windows 2000, Red Hat
Linux, Mac OS X).

To give you an idea of how an LDAP directory is organized, here are the different levels
of a simple LDAP tree hierarchy:

The root directory


Countries
Organizations
Divisions, departments, etc.
Individuals
Individual resources, such as files and printers.

Most LDAP connectivity is done behind the scenes so the typical user probably won't
notice it when surfing the web. However, it is a good technology to know about.

Loopback: A special DNS host name that refers to the reserved Class A address
127.0.0.1 used to confirm that a computer's IP configuration works.

FAT32: This term refers to the way Windows stores data on your hard drive. "FAT"
stands for "File Allocation Table," which keeps track of all your files and helps the
computer locate them on the disk. Even if a file gets fragmented (split up into various
areas on the disk) the file allocation table still can keep track of it. FAT32 is an
improvement to the original FAT system since it uses more bits to identify each cluster
on the the disk. This helps the computer locate files easier and allows for smaller clusters,
which improves the efficiency of your hard disk. FAT32 supports up to 2 terabytes of
hard disk storage.

NTFS: "New Technology File System" It is a file system introduced by Microsoft with
Windows NT and is supported by subsequent versions of Windows such as Windows
2000 and Windows XP. (The file system is how the operating system organizes and
accesses files on the hard drive.) NTFS has a number of advantages over the older file
system named FAT, or file allocation table. One major advantage of NTFS is that it
incorporates features to improve reliability. For example, the new technology file system
includes fault tolerance, which repairs hard drive errors without displaying error
messages. It keeps detailed transaction logs, which tracks hard drive errors. This can help
prevent hard disk failure as well as make it possible to recover files if the hard drive does
fail. NTFS also allows permissions (such as read, write, and execute) to be set for
individual directories and files. It even supports spanning volumes which allows
directories of files to be spread across multiple hard drives. The only reason why you
would not want to select NTFS when formatting your hard drive is if you like slow,
outdated technology or you need to run an older operating system such as Windows 95 or
MS-DOS.

SMTP: "Simple Mail Transfer Protocol" This is the protocol used for sending e-mail
over the Internet. Your e-mail client (such as Outlook, Eudora, or Mac OS X Mail) uses
SMTP to send a message to the mail server and the mail server uses SMTP to relay that
message to the correct receiving mail server. Basically SMTP is a set of commands that
authenticate and direct the transfer of electronic mail. When configuring the settings for
your e-mail program you usually need to set the SMTP server to your local Internet
Service Provider's SMTP settings (i.e. "smtp.yourisp.com"). However the incoming mail
server (IMAP or POP3) should be set to your mail account's server (i.e. hotmail.com),
which may be different than the SMTP server

Win32: This is the Windows application programming interface (API) for developing 32-
bit applications. It has been used for Windows 95, Windows 98, Windows NT, and newer
Windows operating systems. This means that if you use Windows 95 or later you can run
32-bit applications on your computer. Win32 is a term that is important to programmers
but is not crucial for the average user to know. Just know that if you have Windows 95 or
later you can run Win32 applications. If you want to learn more about Win32, including a
bunch of technical jargon, you can visit Microsoft's Developer Website for more
information

Win32 Driver Model (WDM): A unified driver architecture that allows a single driver
to be written for both Windows 95 and Windows NT.

Windows: This is the most popular operating system for personal computers. It is
developed and distributed by Microsoft. There are several versions of the Windows
operating system including Windows XP Home and XP Pro. Earlier versions of Windows
include Windows 3.1, 95, 98, ME, and NT. All Windows platforms use a graphical user
interface (GUI), like the Mac OS, and also offer a command-line interface for typing text
commands.

WINMSD.EXE: The Windows NT 4.0 built-in diagnostics program.