Communications and Security in Windows Server

  • Upload

  • View

  • Download

Embed Size (px)

Citation preview





Communications and Security in Windows Server 2008About This Course


Windows Server 2008 introduces Read-Only Domain Controllers (RODCs) which can be deployed by organizations in locations where physical security may be an issue. A RODC will improve security, provide faster login times and more efficient access to network resources, especially over a WAN. This course discusses various policies, such as Group Policies, Default Domain Security Policies, Account Policies, and Password Policies, that are used to implement security in your organization. It also explains how organizational units can be used to apply the Group Policy settings to a specific subset of computers or users, and how Internet Protocol Security (IPSec) can be used to secure Active Directory communications. The course is one in a series that covers the objectives for Microsoft exam 70-640: TS: Windows Server 2008 Active Directory, Configuring. Passing this exam completes the requirements for the MCTS: Windows Server 2008 Active Directory, Configuration certification, and counts as credit towards the following certifications: Microsoft Certified IT Professional (MCITP): Enterprise Administrator, and the Microsoft Certified IT Professional (MCITP): Server Administrator, since both MCITPs are certifications that require more than one exam.

Target Audience:

The audience for this path includes administrators who are rolling out and supporting Windows Server 2008 in the enterprise. The audience also includes individuals seeking certification on Microsofts new generation server platform.

Published Duration:

1.0 hours

First publication date:


Last revision:


Course Number:


Copyright 2009 SkillSoft. All rights reserved.

SkillSoft and the SkillSoft logo are trademarks or registered trademarks of SkillSoft in the United States and certain other countries.

All other logos or trademarks are the property of their respective owners.




Communications and Security in Windows Server 2008Acknowledgements

Copyright 2009 SkillSoft. All rights reserved.

SkillSoft and the SkillSoft logo are trademarks or registered trademarks of SkillSoft in the United States and certain other countries.

All other logos or trademarks are the property of their respective owners.




Communications and Security in Windows Server 2008Copyrights

Copyright 19992009 SkillSoft Corporation

SkillSoft Corporation

107 Northeastern Blvd

Nashua, NH 03062

Phone: 603-324-3000

Fax: 603-324-3210

SkillSoft U.K. Ltd.

EMEA Headquarters (U.K)

Compass House

2nd Floor

207-215 London Road


GU15 3EY

Phone: +44 (0) 127 640 1950

Fax: +44 (0) 127 640 1951

[email protected]

SkillSoft Asia Pacific Pty. Limited

Level 1

71 Epping Road

North Ryde NSW 2113

Sydney Australia

(PO Box 365 North Ryde NSW 2113)

Phone: + 61 2 9941 6333

Fax: +61 2 9887 1780

[email protected]

All rights reserved. No part of this product may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopy, recording, broadcasting, or by any information storage or retrieval system, without permission in writing from SkillSoft Corporation.

Trademarks and servicemarks

SkillSoft, Search and Learn, SkillPort, Ahead of the Learning Curve, SkillChoice, SkillStudio, Books 24x7, Referenceware, ITPro, BusinessPro, Office Essentials, and Express Guides are trademarks or registered trademarks of SkillSoft.

This product contains elemedia SX7300P Speech CODEC software from Agere Systems, Inc. Copyright 19962004 Agere Systems, Inc. Elemedia is a trademark of Agere Systems, Inc. All Rights Reserved.

Except as otherwise specified, names, marks, logos and the like used in the educational/teaching content of these materials are intended to be, and to the best of Licensor's [SkillSoft's] knowledge and belief are, fictitious. None of the names, marks, or logos used herein is intended to depict any past or present individual or entity, or any trademark, service mark, or other protectable mark of any individual or entity. Any likeness, similarity or sameness between any name, mark, or logo used herein by Licensor [SkillSoft] and the name, mark, or logo of any individual or entity, past or present, is merely coincidental and unintentional. Any such names, marks, and logos used in the educational/teaching content of these materials are used only to provide examples for purposes of teaching the educational content of the materials, and are in no way intended to be used in any trademark sense or manner.

Names used in examples

The names of actual past or present individuals, entities, trademarks, service marks, logos and the like (other than those of Licensor [SkillSoft]) used in the educational/teaching content of these materials are used only to provide examples (including in some instances actual case studies based upon factual events or circumstances involving the individuals, entities, marks, or logos) for purposes of teaching the educational content of the materials. Any such names, marks, and logos used in the educational/teaching content of these materials are intended and used solely for the purpose of providing examples and case studies, and are in no way intended to be used in any trademark sense or manner.

Trade secrets

The software and technology used to implement this product contains trade secrets that SkillSoft considers to be confidential and proprietary information. Your right to use this material is subject to the restrictions in the license agreement under which you obtained it.

Copyright 2009 SkillSoft. All rights reserved.

SkillSoft and the SkillSoft logo are trademarks or registered trademarks of SkillSoft in the United States and certain other countries.

All other logos or trademarks are the property of their respective owners.




Communications and Security in Windows Server 2008Course Objectives

Lesson: Securing Active Directory

After completing this topic, you should be able to

restrict delegated authentication for an object

set permissions for an organizational unit

manage user accounts

Lesson: Active Directory Communications

After completing this topic, you should be able to

implement an IPSec policy on a network

perform an unattended deployment of an RODC on a domain

Copyright 2009 SkillSoft. All rights reserved.

SkillSoft and the SkillSoft logo are trademarks or registered trademarks of SkillSoft in the United States and certain other countries.

All other logos or trademarks are the property of their respective owners.




Communications and Security in Windows Server 2008Follow-on Activities

Copyright 2009 SkillSoft. All rights reserved.

SkillSoft and the SkillSoft logo are trademarks or registered trademarks of SkillSoft in the United States and certain other countries.

All other logos or trademarks are the property of their respective owners.


This page contains a JavaScript function that prints out the current frame document. To print out the document without using JavaScript, you need to press Control P.


Communications and Security in Windows Server 2008Glossary



access token

An object that contains security information for a logon session. The access token contains the SIDs for the user, all the groups a user belongs to, and a list of the user's privileges on a local computer. See also SID.

Accessibility services

A group of features that enable users with disabilities to more easily use an operating system's services.

Account lockout policy

An account lockout policy defines the number of times a user can attempt to enter their password incorrectly before the computer locks. This prevents attackers from repeated attempts at guessing a user's log on credentials.


An abbreviation for Advanced Configuration and Power Interface, an open industry interface specification that enables management of the amount of power given to computers and peripheral devices.

Active Directory

A Windows hierarchical directory service that allows network administrators to manage all network objects from a central point of administration. The Active Directory gives a network user access to allowed resources from any place on the network using a single logon process.

Active Directory Partition Replica

A copy of a logical segment of active directory data and configuration information used to facilitate replication among domain controllers.

Active Directory replication

A replication service that enables Active Directory, directory data to be transferred between domain controllers.


An abbreviation for Active Directory Certificate Services, a feature that allows administrators to deploy and revoke digital certificates, and associate the identity of a service or individual with its corresponding private key.


An abbreviation for Active Directory Domain Services, a Windows hierarchical directory service that allows network administrators to manage all network objects from a central point of administration. The Active Directory gives a network user access to allowed resources from any place on the network using a single logon process.


An abbreviation for Active Directory Federation Services, a service that enables organizations to share a user's identity information securely across organizational boundaries that use different security technologies.


An abbreviation for Active Directory Lightweight Directory Services, a LDAP directory service that an administrator in an organization can use to store and retrieve data for directory-enabled applications in a way that is more flexible than when using AD DS.


An abbreviation for Active Directory Rights Management Services, a service that Administrators can use to configure issuance licenses, server-based policies, that determine which users are allowed to access digital content, how they are allowed to use it, and the circumstances under which they are allowed to access it.


A device that provides connectivity between peripherals and the computer. Common adapters are network cards, video cards, and modems.


An abbreviation for Active Directory Migration Tool, a tool that is used to migrate directory service objects from Windows NT 4.0 to the Windows 2000 and Windows Server 2003 Active Directory.


A command-line tool used to extend the schema, update default security descriptors, and add new directory objects for new applications, in preparation for an upgrade from Windows 2000 to Windows 2003 or Windows 2003 to Windows 2008.


An abbreviation for Active Directory Services Interface, a mechanism that provides a single set of directory service interfaces for managing networked resources.


A process where the age of zone resource records is tracked in order to maintain up-to-date data.


An abbreviation for Automated Installation Kit, a package of software tools used to customize and automate the deployment of Windows Vista and Windows Server 2008.


Also called a CNAME record, a DNS resource record that identifies a host by more than one name. These records are used when you need to rename an A resource record in the same zone and when a server, such as www, needs to resolve to a group of individual computers that provide the same service, for example a group of redundant servers.


An abbreviation for Application Programming Interface, a set of tools and protocols that are used to develop software applications, which have a similar look and feel, for an operating system or a database.


An abbreviation for Automatic Private IP addressing, a feature of Windows that allows computers to dynamically select an address from the private IP address range to allow them to communicate with each other on a local network.


Short for application program, a program that is used to perform a specific function for a user or another application. An application performs its functions by using the operating system of a computer or supporting applications. An application communicates with supporting applications through an API.

Application layer

The uppermost layer of the TCP/IP protocol stack. At this layer, network data that has been passed up through the preceding layers of the protocol stack is rendered so that it is accessible to the application.

application pooling

A process in IIS that handles applications by providing an isolated environment for worker processes to run. One worker process will not affect any others if it fails because each process runs separately.


An XML root configuration file that contains global settings for the local IIS 7.0 Web server.


A characteristic that defines an Active Directory object. For example, the user's first name or last name defines the user object.

audit policy

A policy that determines which security events are entered in the security log.


A process that verifies a computer or network user's logon credentials. The user's credentials could be a registered password, username, or both.

authoritative restore

A procedure that allows the point-in-time recovery of a domain controller; by marking specific objects as authoritative preventing them from being overwritten by replication.


A Windows mechanism to automatically issue and install PKI certificates based upon configured group policy settings.

Back to top



A process that copies data to a secondary storage area as a preventative measure to restore any lost data if the original storage area fails.


A measurement expressed in bits per second (bps) of the amount of information that can flow through a digital communications channel.

bare metal restore

The restoration of backed-up data to a computer system, without the requirement of a previously installed operating system.

basic authentication

An authentication method where a client program provides credentials in the form of an unencrypted user name or password when making a request.

basic disk

A physical disk that is accessed by MS-DOS and any Microsoft operating systems.


An abbreviation for Boot Configuration Data, files that store Windows Vista or Windows Server 2008 boot applications and boot application settings used to determine operating system startup options. They replace the boot.ini used by older versions of Windows.


A tool used to edit the BCD files that control the startup configuration for Windows Vista and Windows Server 2008 computers.


An abbreviation for Backup Domain Controller, a role that can be assigned to a server on a Windows NT 4.0 network. A BDC can assume the functions of a PDC when the PDC server fails, and it can help to balance the workload on a network. See also PDC.


An abbreviation for Basic Input/Output System, a set of routines on a computer that provides an interface between the operating system and the hardware. The routines are stored on a chip. The BIOS supports all peripheral technologies and internal services, such as the real-time clock.

Bitlocker encryption

A server data protection feature that allows you to encrypt entire volumes and provides integrity-checking for the boot environment.


This is when a router or layer 3 switch is able to route DHCP traffic.


In Information Technology, a stage or device that slows down or stops a process. For example, a slow transmission medium on a network can cause a network to perform very slowly.


This is a network transmission method, where information is sent out to every computer on the local subnet.

Back to top



An abbreviation for Certificate Authority, a server that acts as a trusted third party; issuing digital certificates to users, computers, and services as part of a PKI. See also PKI.


A storage area on a computer's hard disk that is used to store data or memory. For example, a web browser stores web pages in a subdirectory, the browser cache. When a user requests a used web page, the browser retrieves the web page form the cache rather than the server and so saves time and reduces network traffic.

caching-only server

A server that retains a cached copy of queries that have been forwarded to zone-hosting servers. This reduces traffic across WAN links to remote locations.


An abbreviation for Client Access License, a software license that permits client computers to legally connect to Microsoft server software.


An abbreviation for Common Alerting Protocol, an XML data format that allows the exchange of warning messages over differing warning systems to many applications simultaneously.


An abbreviation for Call back Control Protocol, a protocol that provides automatic callback for a dial-up connection.


An abbreviation for Complementary Code Keying, a WLAN modulation scheme used with IEEE 802.11b wireless networks that replaces the original DSS procedure IEEE802.11 standard.


An abbreviation for Compression Control Protocol, a mechanism that configures and enables or disables a data compression algorithm at both ends of a point-to-point link. It also provides a means of signalling the failure of the compression mechanism.


An abbreviation for Compact Disc Read Only Memory, a type of optical storage that is used to store text, graphics, and sound.


A file issued by a trusted third party such as a CA, it contains a copy of a user's digital signature and public key, that allows the user to validate their ownership of a public key. See also CA.

Certificate Encryption Template

The set of rules and settings that are applied against incoming certificate requests. A version 1 template cannot be modified; A version 2 template is a copy of a version 1 template that is fully configurable.


An abbreviation for Challenge Handshake Authentication Protocol, an authentication method used by PPP servers to validate the identity of remote clients. It uses a three-way handshake both at the beginning and at intervals throughout the communication. The verification is based upon a shared secret such as a client's user password.

claim mapping

A process that occurs when an AD FS server receives an incoming claim and filters it to the appropriate authorized user.

Client Certificate Mapping

An authentication process that automatically relates certificate information to a Windows user account. There are three methods to map client certificates directory service mapping, one-to-one mapping, and many-to-one mapping.


A tool that is used to copy NT 4.0 user and group accounts during a migration without affecting the production environment.


The creation of a new account with a new SID in a target domain that mirror the accounts in the source domain in the context of a migration. See also SID.


This is a group of servers that function as one server.

Collector computer

The computer that receives event log data from multiple subscribed computers.


An abbreviation for Component Object Model, a Microsoft interface standard that provides any programming language that supports the standard with a means of interprocess communication and dynamic object creation.

command-line interface

A user interface to a computer's operating system or application in which a user types a command on a specified line in response to a prompt. The system responds to the command, and the user can then enter another command, and so on.

computer account

An account that uniquely identifies a computer in a domain. This account is stored in the Active Directory.

configuration partition

A directory partition replica, stored on every DC in the forest, that holds a copy of all the Active Directory configuration information that is unique to that one forest.

Control Panel

The location from which you can use the applets to change the appearance and functionality of a Windows operating system. Each applet represents an option for configuring the computer.


An abbreviation for Cyclical Redundancy Check, an error detection mechanism that uses a checksum to verify the integrity of data.


An abbreviation for Certificate Revocation List, a list of certificates that are no longer valid, they may have been revoked, and will not be trusted by PKI. See also PKI.


An abbreviation for Carrier Sense Multiple Access / Collision Avoidance, a network contention protocol used with wireless networks to avoid collisions. In CSMA/CA a station listens until there is no activity on a channel before transmitting.


An abbreviation for Carrier Sense Multiple Access / Collision Detection, a set of rules used by Ethernet to determine how network devices respond when two devices attempt to use a data channel simultaneously. This occurrence called a collision is detected by all participating stations. Each station then uses a random timer to determine when it will again attempt to transmit.


An abbreviation for Cryptography Service Provider, a software library or proprietary hardware that implements cryptographic encoding and decoding functions.


An abbreviation for Certificate Trust List, a list of root CAs that have been authenticated and signed by a trusted entity. See also CA.

Back to top



An abbreviation for Discretionary Access Control List, a part of the SID that specifies which groups or users can access an object and the types of permissions assigned to the users or groups. See also SID.


An abbreviation for Digest Authentication Protocol, it is an integrity checking mechanism that uses a digest calculated from a hash of the message together with a shared secret to verify the origin of the message and that the message has not been tampered with.


Any form of information that is stored and accessed by a computer.


An abbreviation for Distributed Communications Object Model, a Microsoft technology that facilitates communication for software components distributed across computers on a LAN, WAN, or the Internet.


An abbreviation for Dynamic DNS Domain, a system that facilitates the dynamic assignment of IP addresses to Internet domain names by allowing the DNS data hosted on a name server to be updated in real time. See also Domain Name System.


A process that converts data from a ciphered format to its original format that allows only the authorized user to access it. See also encryption.


An IT security strategy using multiple layers of countermeasures based the principle that it is more difficult to penetrate a multi-layered defence system than to penetrate a single barrier.


The process of assigning specific administrative rights to users. To do this you must modifying the DACL of an object to grant the appropriate rights. See also DACL.

demand dial routing

A PPP routing method that activates a dial-up connection to forward traffic and deactivates it when the transmission is complete.

Demilitarized Zone

Abbreviated to DMZ, a small subnetwork that sits between a trusted intranet, such as a corporate LAN, and an external network that is not trusted, such as the Internet. Typically the DMZ contains devices that are accessible to the Internet, such as web servers, ftp server, and mail servers.


An abbreviation for Data Execution Prevention, a Microsoft Windows security feature that prevents malicious code from running on a system by barring an application from executing code from a non-executable memory region.


The on-screen work area from which a user accesses a program, file, or document on a computer.

Device Manager

A utility that lists all of the devices that are installed on a computer. It allows a user to determine if the devices are functioning correctly and to enable or disable them as required.


An abbreviation for Distributed Filesystem, a technology that allows users to use virtual folders to access network resources that are distributed on multiple servers and shared directories without needing to know their physical locations.

DFS Namespace

A virtual hierarchy of DFS files and shares distributed over multiple file servers in a Windows domain.


An abbreviation for Dynamic Host Configuration Protocol, a communications protocol that automatically assigns a computer dynamic configuration of IP addresses and TCP/IP network configuration information when the computer logs onto a network. DHCP therefore enables a network administrator to manage and distribute IP addresses from a central location on a network. See also TCP/IP.

Dial-Up Networking

A utility that allows users to connect to a network through a modem.

Digest Authentication

An authentication protocol where a server's challenge containing a random key is encrypted by the client using a user's password that the server then decrypts and uses to authenticate against client credentials stored in Active Directory or the local SAM. See also SAM.

directory service

A service that is used to organize, manage, and control lists of network resources, such as users, printers, and applications.

disaster recovery

A series of processes that can be used to restore a system from a failed state.

Discover Image

A boot image used to deploy images from a WDS server to computers that are not PXE-enabled or are on networks that do not allow PXE. See also PXE.

Disk Quota

A limit set by a system administrator that restricts the amount of disk space available to a user.

Distribution groups

An Active Directory group that is used to create e-mail distribution lists.


An abbreviation for dynamic link library, a code library that can be accessed by applications, this can be called upon by a program when it needs to communicate with other drivers and peripherals.

DNS Round Robin

An older way of load balancing where multiple answers to host queries are created and then cycled through preventing a single DNS server from overloading. See also Domain Name System.


A collection of computers, groups, and user objects defined by the administrator that share the common directory database in the Active Directory. A domain provides access to the centralized user accounts and group accounts maintained by the domain administrator. Each domain has a unique name.

domain controller

A server that contains a writable copy of the Active Directory database, partakes in Active Directory replication, and controls access to network resources in an Active Directory forest. The domain controller uses the information in the directory database to authenticate users logging onto domain accounts. The security and user account information for the entire domain is stored on a shared directory database.

domain isolation policy

A security policy that restricts incoming communication from any computers that are not members of the same domain.

domain Name registration

The selection and recording of a unique domain name on the internet.

Domain Name System

A method for locating and translating domain names on the Internet and on private TCP/IP networks. DNS provides a service for mapping DNS domain names to IP addresses and vice versa. This allows applications, computers, and users to query DNS to identify a remote system by fully qualified domain names instead of by IP addresses. See also DDNS.

Domain Name System namespace

A hierarchical structure that begins with the root domain, branches to top-level domains, then to second-level domains, and so on to the individual host names.

Domain Naming Master role

An Active Directory FSMO role that manages the names of all domains in a forest and is needed to add new domains or remove existing domains. This role is unique within a forest. See also Flexible Single Master Operational role.

Domain Partition

A directory partition replica that holds a copy of all the Active Directory objects that are unique to one domain. Each domain in the forest has its own unique domain directory partition.

down-stream server

A server that is subordinate to an upstream server in a WSUS architecture. It receives approvals and/or updates from the upstream server. See also WSUS.


A software component that allows a hardware device to communicate with a computer system.

Driver rollback

A feature that creates a copy of the previous device driver package when a driver is updated. Should the updated driver fail to function, the backup copy can be used to restore the system.

Driver signing

A process that verifies whether specific device drivers have been tested for use with Windows operating systems


An abbreviation for Digital Rights Management, a process that allows the producers of content the ability to stop unauthorized use of the media.


An abbreviation for Directory Service Recovery Mode, a special boot mode used to log on to a windows server 2008 domain controller when active directory has failed or needs to be restored.

Dynamic Content

Interactive web content that can change in response to different contexts or conditions. It can be enabled using client-side scripting, where the dynamic content is generated on the client computer or server-side scripting, where the server changes the web page's supplied source before sending.

Dynamic disk

A physical disk that can be used with Windows XP, Windows Vista, and Windows server operating systems. Dynamic disks enable the manipulation of the partitions and volumes contained on them, without the need for a complete disk format.

Dynamic updates

A feature that allows a computer to automatically contact and register their resource records with a DNS Server on the network. When changes occur on the client, their resource records will be dynamically updated. See also Domain Name System.

Back to top



An abbreviation for Extensible Authentication Protocol, an authentication framework that allows the use of multiple authenticator types for PPP communications.


An abbreviation for Extensible Authentication Protocol over Transport layer Security, a high security EAP method that uses TLS and requires authentication from both client and server. It supports advanced authenticator mechanisms such as certificates and smart cards.

Encrypting file system

Abbreviated to EFS, a Windows 2000 file system that enables users to encrypt files and folders on an NTFS partition or volume. It protects files from unauthorized access because each file is encrypted using a randomly generated key. See also NTFS.


A process that converts data into a ciphered format that prevents unauthorized users from accessing it. See also decryption.


The process by which a client is allocated a security certificate. The client requesting the certificate provides the CA with a copy of its public key and additional credentials. This information is then signed by the CA which encrypts the information with its private key. The certificate is then returned to the client, which has now been enrolled. See also CA.


A significant action that occurs on a computer and is recorded by the operating system. Events may be user actions such as opening a file, or system occurrences such as running out of disk space.

Event Viewer

A Microsoft administration tool that is used to view server events and the logs that record these events.

Back to top


failover clustering

A redundancy mechanism used to create a logical group of servers, called nodes, that can service application requests with shared data stores. In the event that a node fails another node will take over its responsibilities in a manner that is transparent to the user.


An abbreviation for file allocation table, a file system that is used by MS-DOS and other Windows-based operating systems to organize and manage files.


A derivative of the file allocation table file system that supports smaller cluster sizes and larger volumes than FAT, which results in more efficient space allocation on FAT32 volumes

Feature Delegation

A method used to control which web server configuration settings a user can see or change in IIS Manager when they are connected to the server.


A container used to store a document or data that is created using an application. Windows will store the document or data as a file and identify it by a unique name or filename.

file system

The set of logical structures and software routines that an operating system uses for storing and accessing data on disks.


Security software or hardware used to isolate and protect your network from unwanted intruders. Firewall uses rules or exceptions to control the traffic into your network. They can be either network or host based.

Flexible Single Master Operational role

Abbreviated to FSMO, specialized domain controller assignments used for tasks that cannot function using the active directory multimaster replication environment. They facilitate updates to certain Active Directory objects in a single-master fashion.


A container that is used to store groups of files.

Foreign Disk

The disk status given to a dynamic disk that is moved from a local computer to another computer.


A collection of one or more Active Directory domain trees that are connected through transitive bidirectional trust relationships in a domain. The trust relationships enable users to access resources in any domain in the forest. See also domain and tree.

forest root domain

This is the first domain created in a forest.

Forward Lookup zone

A DNS zone in which hostname to IP address relations are stored. See also Domain Name System.


1. A DNS server that re-directs queries to other DNS servers and sends the responses back to the DNS client.2. In Windows XP, a kernel mode service that checks packets for filters before routing them through the appropriate interface. See also Domain Name System.


An abbreviation for File Replication Service, a service of Windows that provides multimaster file replication for selected directory trees between selected servers. FRS configures every domain controller to host a copy of the Sysvol.


An abbreviation for File Service Resource Manager, a suite of tools that allows administrators to control and manage the type and quantity of data stored on file servers.

Fully Qualified Domain Name

Abbreviated to FQDN, the complete domain name by which a network resource can be accessed. Although the FQDN can also extend down several tiers of the domain name space to incorporate second level and child domain names.

functional level

A setting that determines what Active Directory features are available for a forest or domain and what version of Windows can be used as a domain controller.

Back to top



A mechanism by which information is able to go between different networks.

global catalog

A database that is automatically created on the first domain controller in a Windows forest. The global catalog contains a complete replica of all the Active Directory objects on the host domain and a partial replica of the objects on every other domain in the forest. A global catalog enables users to locate network resources in the Active Directory. Users can log on to the network only when the global catalog is available.


An abbreviation for Group Policy Container, the portion of the GPO that is stored on every domain controller in the domain and contains configuration references for the GPO. The stored information includes references for client side extensions, the path to the GPT, and paths to software installation packages. See also Group Policy Object.


1. An abbreviation for Group Policy Templates, the files, contained in the sysvol folder on a domain controller, which contains the actual GPO settings.2. An abbreviation for GUID Partition Tables, An improved disk-partitioning scheme that uses the Extensible Firmware Interface and improves upon the standard master boot record partition design. See also Group Policy Object and GUID.

Graphical user interface

Abbreviated to GUI, an interface that enables a user to interact with the applications on a computer. A user uses the graphics, for example icons or buttons, to perform operations.


A collection of accounts that simplify network maintenance and administration. They are used to collect user accounts, computer accounts, and other group accounts into manageable entities.

Group Policy

A set of configurable parameters that can be applied to users or groups of users and computers, that allows administrators to control network resources, programs, and operating systems for both users and computers in their organization.

Group Policy Management Console

Abbreviated to GPMC, a tool for Windows Server 2003 and newer operating systems that manages group policy for any domains and sites within a forest.

Group Policy Object

A group of settings that establish configurations for Users and Computer accounts within Active Directory domains, sites, or OUs. See also organizational unit.


An abbreviation for Globally Unique Identifier, a 128-bit identifier generated by some software applications to provide a reference number for a particular component, application, file, database entry, and/or user.

Back to top


Handler Mappings

Configuration settings in IIS used to manage applications process requests, for different types of content, by directing them to specific handlers. See also IIS.

Hard quota

The maximum amount of disk storage space that the system will permit an account to use. It prevents users from creating additional files after they reach a threshold.


Additional data, often control information, that is added at the beginning of a block of data being stored or transmitted.


A measure of the status of various security and protection features on a computer compared to specified benchmarks. Examples include but are not limited to: the currency of updates, anti-virus the presence of up-to-date anti-virus and anti-spyware software, and having windows firewall enabled.


A Windows power management feature that maintains a computer in its current state, and saves memory on the disk. It prevents data from being lost if a computer's battery fails.


Any device a computer, printer, or router that uses an IP address to communicate on a TCP/IP network. Also see IP address.

Host (A)

Resource records that map DNS domain names to their IP address equivalent. Computers that share resources, such as DNS servers, mail servers, and web servers, must use A resource records. Also see Domain Name System.


An abbreviation for Health Registration Authority, a Windows Server 2008 role that validates a NAP client's compliance with a NPS network policy server's health requirements and then forwards a certificate request on behalf of the client to a CA. See also NAP and CA.


An abbreviation for HyperText Markup Language, a system of tags that is used to define the layout and characteristics of web pages, including the hypertext links to other documents on the Web.


An abbreviation for Hypertext Transfer Protocol, a communications protocol used to transfer information on LANs and WANs including the internet. By default it Uses TCP/IP well-known port 80. See also TCP/IP.


An abbreviation for Hypertext Transfer Protocol over Secure Socket Layer, a secure transmission protocol that is syntactically identical to HTTP but uses SSL or TLS to provide encryption and authentication. By default it uses TCP/IP well-known port 443. See also TLS and SSL.


A Windows feature that enables the running of multiple operating systems within virtual machines on a single physical computer.

Back to top



An abbreviation for Internet Authentication Service, a Microsoft version of a RADIUS server that authenticates RADIUS clients and proxy servers. See also RADIUS.


An abbreviation for Internet Control Message Protocol, part of the TCP/IP suite of protocols used to communicate diagnostic information between networked devices. Ping uses ICMP. See also ping and TCP/IP.

Identity store

A database in which passwords and usernames are stored. It can contain information on computers, users, groups, as well as other security principals.


An abbreviation for Internet Information Server, Windows server software that is used to build, run, and manages ftp and web sites. It is a prerequisite for several other server types and roles such as Application Server and Windows SharePoint Services.

Infrastructure Master

Abbreviated to IM, the Active Directory FSMO role that updates changes to user and group links by maintaining the SIDs, GUIDs, and DNS names for objects referenced across domains. This role is unique within each domain. See also Flexible Single Master Operational role.

Initial Configuration Tasks

Abbreviated to ICT, a console, presented after logon to a clean install of Windows Server 2008, that is used for post-installation configuration of server settings such as time zones, automatic updates, and network settings.

Internet Explorer Enhanced Security

Abbreviated to IE ESC, a security enhancement to Internet Explorer that reduces a server's exposure to attacks originating from Web pages that do not belong to the local intranet or trusted sites zones.

Internet service provider

Abbreviated to ISP, an organization that provides access to the Internet and related services for individuals and organizations in a specific geographic area. An ISP has the telecommunication equipment and lines to provide the networks of large organizations with direct connections to the Internet. An ISP provides users access to the Internet through dial-up connections.

Intersite replication

The replication of Active Directory partition updates between domain controllers that host the same Domain or Application partitions, but reside in different sites. This replication takes place between two dedicated bridgehead DC servers that then replicate the information to the local DCs. See also domain controller.

Intrasite Site Replication

The replication of Active Directory partition updates between two or more domain controllers that store replicas of the same Domain or Application partition and that reside within the same site.

IP address

Short for Internet Protocol address, a 32-bit address that identifies a host on an IP internetwork. Each host on the IP internetwork must have a unique IP address. This IP address is made up of the network ID plus a unique host ID.

IP Replication

A means of Active Directory replication that uses RPC over TCP/IP as its wire protocol for data transfer. There are two levels of RPC connectivity available: uniform high-speed synchronous RP over IP is used for Intrasite replication and point-to-point lowspeed RPC over IP is used for intersite replication. See also RPC.


A Windows command-line utility that allows you to view TCP/IP configurations on a host computer. See also TCP/IP.


An abbreviation for Internet Protocol Security, a protocol that provides encryption for IP based networks as well as authentication.


An abbreviation for Internet Security and Acceleration, a Microsoft service that functions as a firewall and offers caching and web performance features.


An abbreviation for Internet Server Application Programming Interface, interfaces specially tailored for web servers that employ windows DLLs to make processes run faster than under regular APIs. See also DLL.

Iterative Query

Also called a nonrecursive query, the requestor asks the DNS server for the best answer that it can provide without help from other DNS servers. See also Domain Name System.

Back to top



Abbreviation for Knowledge Consistency Checker, a tool that is responsible for maintaining replication paths between and within Active Directory sites.


An abbreviation for Key Distribution Center, a network service that provides the tickets and temporary session keys employed by Kerberos.


An authentication service used to allow users and services to authenticate themselves to each other. It is the default authentication service used by Microsoft Windows operating systems.

Back to top


Layer Two Tunneling Protocol

Abbreviated to L2TP, a tunneling protocol that supports header compression and tunnel authentication and uses IPSec encryption. See also IPSec.


An abbreviation for Link Control Protocol, the part of the PPP suite that, establishes, configures, and tests data-link connections.


An abbreviation for Lightweight Directory Access Protocol, a service protocol that runs directly over TCP/IP and is the primary access protocol for the Active Directory. The protocol defines how a directory client can access information on a directory server.


The TTL duration of an IP address assigned to a client by a DHCP server. See also DHCP.

Link Layer Topology Discovery Mapper

A Windows service that searches for network computers and creates the Network Map in the Network and sharing center.

Link Layer Topology Discovery Responder

An installed package that allows a computer running Windows XP to be detected and appear on a Link Layer Topology Discovery Mapper network map.

Link Local Multicast Name Resolution

Abbreviated to LLMNR, a protocol based on DNS format that allows both IPv4 and IPv6 hosts to perform name resolution for hosts on the same network segment.


A local plain text file that cross-references NetBIOS names to IP addresses for hosts that are not located on the local subnet.

local user profile

A user profile that is created on and limited to one computer. If a user logs on to a different computer, the user profile is unavailable. See also roaming user profile and mandatory user profile.


An abbreviation for Logical Unit Number, a unique address or identifier that provides a logical reference to a portion of a storage subsystem.

Back to top


MAC address

An abbreviation for Media Access Control address, a hardware address that uniquely identifies each node of a network. In IEEE 802 networks, the Data Link Control (DLC) layer of the OSI Reference Model is divided into two sublayers: the Logical Link Control (LLC) layer and the Media Access Control (MAC) layer. The MAC layer interfaces directly with the network media. Consequently, each different type of network media requires a different MAC layer.


An XML configuration file that contains application settings that applies to an entire computer. Typically this file is not altered and the web.config file is used for configuring applications. See also XML and web.config.


An abbreviation for Multiaddress dynamic client allocation protocol, a protocol similar in concept to DHCP that allows hosts to request multicast address allocation dynamically from a MADCAP server. See also DHCP.

Mail Exchanger Record (MX)

Resource records that are used in e-mail applications to find a mail server that corresponds to the destination address in an e-mail.

mandatory user profiles

A user profile that is the same each time a user logs on, regardless of profile changes made by the user in previous sessions. It is set by an administrator. See also roaming user profile and local user profile.

Mapping of certificates to user accounts

The association of a certificate to an Active Directory user account. This streamlines the logon process by allowing a server application to use public key technology to automatically authenticate the user.

Microsoft Baseline Security Analyzer

Abbreviated as MBSA, a downloadable tool from Microsoft, used to scan a computer or multiple networked computers for security vulnerabilities.

Microsoft Management Messaging Queuing

Abbreviated to MSMQ, a computer that supplies message queuing, routing, and directory services to client computers.

Microsoft Solutions Framework

A set of guidelines that is used to implement application and infrastructure projects. MSF emphasizes people, process elements, and the technology choices of a project.


The process of moving resources from one operating environment to another in Information Technology. A migration can involve moving new hardware, new software, or both to a new operating system. A migration can be small scale, such as migrating a single system, or it can be large scale, such as migrating many systems, new applications, or a redesigned network.


A standard for identifying the type of data contained in a file based upon its extension. It provides a means for images and other non-text documents to be included within e-mail messages.


An abbreviation for Multiple Input Multiple Output, a system that uses multiple antennas for wireless communication, both at the transmitter and receiver, to improve communication performance.


An abbreviation for Microsoft Management Console, a common console framework for administering networks, computers, services and other system components.


A command-line tool that is used to move Active Directory objects between domains in a single forest.


An abbreviation for Microsoft Point to Point Encryption, Microsoft's default encryption method used to secure for PPP dial-up or PPTP based VPN communications. Its chief advantage is that it does not require PKI certificates.


Microsoft's default authentication scheme, based upon CHAP, used by PPP servers to validate the identity of remote clients.

MSI file

A package file used by Windows Installer, that includes a relational database with all the information required to install a product.

Multimaster Replication

A feature of Active Directory that distributes and maintains a consistent and writable copy of the directory across multiple servers in the domain. Since all of the replicas of a given directory partition are writable, updates can be applied to any DC which then propagates the changes to all other DCs. See also domain controller.

Back to top



An abbreviation for Network access protection, a set of operating system components that controls access to network resources based upon a client computers identity and compliance with administrator-defined requirements for system health.


An abbreviation for Network Address Translation, a service that translates private client IP addresses on a small network into a public IP address.


An abbreviation for Network Basic Input/Output System, an API that allows applications on different computers to communicate. See also API.


A command-line tool that is used to manage Windows 2000 domains and trust relationships.


A logical grouping of computers that allows them to communicate with one another.

Network and Sharing Center

The centralized location provided in Windows Vista and Windows Server 2008 for managing network connections and resources.

Network Policy Server

Abbreviated to NPS, the Microsoft Windows Server 2008 implementation of RADIUS server and proxy server. It performs centralized authentication, authorization, and accounting for remote network access servers. It also acts as a health evaluation server for NAP. Also see RADIUS and NAP.


An abbreviation for Network Filesystem, a service that provides a distributed filesystem, eliminating the need for keeping multiple copies of files on separate computers.


An abbreviation for Network Load Balancing, a network component that enhances the scalability and availability of IP-based services by load-balancing IP traffic across a number of hosts and automatically redistributing traffic in the event that a host fails.


An abbreviation for Network Operating System, the software that controls the operation of a network, enabling users to communicate and to share files and peripherals.


An abbreviation for New Technology File System, an advanced Windows NT file system that uses the unicode character set and supports 255-character long filenames, and enables file level security. This advanced file system improves the performance, reliability, security of an operating system.

Back to top


ODBC Logging

An IIS log format that writes the data in ODBC, a standard database format, which can be managed using SQL server. See also IIS.


An abbreviation for Out of Box Experience, a description of the experience a user has when installing and/or performing initial configuration on a piece of hardware or software. The run command to start the Initial Configuration Tasks is oobe.exe.

organizational unit

Abbreviated as OU, an Active Directory container object that is used within domains. An OU can contain users, groups, computers, and even other OUs.


An Active Directory permission that grants the user control over how permissions are set for that object and to whom permissions are granted. By default the creator of an object is the owner. The current owner of an object can grant the take ownership permission to other users and an administrator can take ownership of any object under his or her administrative control.

Back to top



A unit that consists of binary information that is used to transmit data over a network.


A division of the physical space on a hard drive that functions as if it were as separate disk.

partition table

A table stored in a standard location and in a standard format on the disk that describes what filesystem is used in each partition and where each partition begins and ends.


A security measure that is used to restrict access to a computer and its resources, and it restricts logon names to user accounts. Passwords can be made up of letters, numbers, symbols, and are case sensitive. When a user enters a password, the computer system displays the characters as asterisks.


An abbreviation for Primary Domain Controller, a role that can be assigned to the first server installed on a Windows NT 4.0 server or earlier network. The PDC manages the master read/write copy of the directory database for the domain. The PDC authenticates domain logon attempts and updates computer, group, and user accounts in a domain. See also BDC.

PDC emulator role

An Active Directory FSMO role that serves several functions: it is the authoritative source for time in a domain, it emulates a Windows NT primary domain controller, and it is favored by all other DCs in the replicating and confirming of password information. This role is unique within each domain. See also Flexible Single Master Operational role.

peer-to-peer networks

A network where every computer can share files and peripherals with all other computers on the network, and access control is local to the computer.

Performance monitor

A utility that displays real-time performance data, enabling you to monitor the status of system and network resources.


Rights that are assigned to individual users or user groups so that they can access specific resources, such as folders or printers


An abbreviation for Personal Identification Number, a secret numeric password that is typically used in conjunction with a non-confidential user identifier or token as part of an authentication procedure to grant access to a networked computer or resource.


A utility that tests TCP/IP connectivity to a remote host. It works by sending a packet to an IP address and waiting for the destination host to reply. See also TCP/IP.


An abbreviation for Public Key Infrastructure, a certificate deployment architecture where a public and private cryptographic key pair, that is obtained and shared through a trusted authority, is used to secure network communications.

Plug and Play

The technology that allows a computer to detect and configure a device and install the appropriate device driver.

policy settings or policy

This is the configuration or change in a GPO. See also Group Policy Object.


An abbreviation for Point to Point transport protocol, a tunneling protocol that works on IP-based internetworks and has built-in PPP encryption. It is widely compatible with Windows-based operating systems.

primary partition

A partition on a hard drive that is used to boot up the computer. It is the first partition that is created on the hard drive.


The physical device that prints text or images on paper.

printer pooling

A method of load-balancing for printers where print jobs are distributed to multiple identical printers connected to a single print server.

Private Key Encryption

Also called symmetric encryption a method for securing data where the sender and receiver of information share a common secret key that is used for both encryption and decryption.

private network

A network that is restricted to a specific organization or set of users. Computers on the Internet are prevented access. See also public network.


An action that manipulates data and executes instructions by a computer.


The rules that are used to allow computers to communicate with each other across a network.

Provision a Shared Folder Wizard

A wizard-based tool that simplifies the process of creating and configuring shared folders that can be accessed either by using SMB or NFS protocols. See also SMB and NFS.


An abbreviation for Pointer, a resource record that maps IP addresses to their DNS domain names. These resource records are used in the reverse lookup process.

Public Key Encryption

Also called asymmetric encryption, a method for securing data where two different mathematically related keys, called a key pair, are used to encrypt and decrypt the information. Information encrypted with one key can only be decrypted using the other half of the key pair.

public network

A network that allows unrestricted access. The Internet is an example.


A method of distributing information hosted on Windows Server 2008 servers throughout the network into Active Directory.


An abbreviation for Preboot Execution Environment, an environment typically used for remote network installations, that provides the ability to boot computers using a network interface independently of available data storage devices.

Back to top


quorum resource

The single resource, in every cluster, that is selected to maintain the configuration data necessary for the recovery of the cluster. Also see cluster.

Back to top



An abbreviation for Remote Authentication Dial-In User Service, provides authentication, authorization, and accounting services for remote access servers. RADIUS provides a single point of management for multiple remote access servers. Using RADIUS, you can configure remote access servers to share a common policy and to log authentication events centrally.


An abbreviation for Redundant Array of Independent Disks, A method of storing the same data in different places on multiple hard disks. The input/output operations can therefore overlap. RAID improves performance, increases the mean time between failure (MTBF), and it increases fault tolerance.

raise domain functional level

A mechanism by which additional domain-wide Active Directory features can be enabled, outdated backward compatibilities can be removed, and the security and performance of Active Directory can be improved.

raise forest functional level

A mechanism by which additional forest-wide Active Directory features can be enabled, outdated backward compatibilities can be removed, and the security and performance of Active Directory can be improved.


An abbreviation for Remote Access Service, a feature of Windows NT 4.0, Windows 2000 and Windows.NET servers that allows remote users to access a network from their Windows laptops or desktops via modem.


An abbreviation for Role-based Access Control, a system of access control where access rights are mandated by role name within the corporate or network environment, and access to resources is restricted to users who have been authorized to assume the associated role.


An abbreviation for Remote Differential Compression, a protocol, used with DFS, that allows file updates over a limited bandwidth network by determining which blocks have been changed in a file and then replicating those changes. See also DFS.


An abbreviation for Remote Desktop Protocol, a protocol that provides an encrypted channel used by remote desktop for a secure connection to a computer running Microsoft terminal services.


An entry in DNS used to cross-reference an IPv4 or IPv6 address and the fully qualified domain name (FQDN). Also see Domain Name System.

Recovery Console

A command-line console tool that allows administrators using Windows 2000, Windows 2003, or Windows XP to repair damaged systems.

recursive query

A query in which the requestor asks the DNS server to assume the full workload and responsibility for providing a complete answer to the query.


A response to a DNS query that does not contain the requested answer, but which contains one or more authoritative name servers that are closer to the required question.


A database repository for information about a computer's configuration

registry key

An entry, similar to a folder within a virtual hierarchy that contains either subkeys or configuration setting values for Windows operating systems and applications.


A calculation of how stable a computer's hardware, operating system, applications, and servers really are.

Reliability Performance Monitor

A new feature in Windows Server 2008 that combines previously stand alone features of Server 2003 such as server performance advisor, performance logs and alerts, and system monitor. This allows you to monitor the server from one MMC rather than having to use several consoles. See also MMC.


The process of updating non-compliant NAP client computers so that they meet health requirements needed for network access. See also NAP.

Remote assistance

A help and support component that allows novice PC users to access real-time hands on help with any problems they may be having.

Remote desktop

A utility used to connect to a PC's desktop from a remote location

Replica mode

An administrative mode on a WSUS server that allows the WSUS server to inherit the configuration from the upstream server. See also WSUS.


A service that enables the transfer of data between domain controllers and network servers, in order to ensure consistent and reliable copies of directory and file system databases are available on all servers. Replication of the Active Directory occurs through the Directory Replicator Service, and replication of the file system occurs through DFS replication. See also DFS.

Request Filtering

A security tool that allows web server administrators to restrict the types of HTTP requests that IIS will process, preventing potentially harmful requests from damaging the server.

Request for Comments

Abbreviated as RFC, A document defined by the Internet Engineering Task Force (IETF) that specifies the details for the TCP/IP family of protocols.


1. A host that performs a recursive search, by querying name servers, of the DNS system in order to locate records that answer a query.2. A client program or service used to look up DNS information by querying name servers.

response file

A specification file, used to automate a process that contains the information normally provided by the user through the GUI interface.

reverse look-up zone

Also called an IN-ADDR.ARPA zone, it is a DNS zone that maps IP addresses to names.


An abbreviation for Relative Identifier, the part of a SID, that is unique within a domain, which identifies a security principal within that domain. See also SID.

RID master role

An Active Directory FSMO role that allocates security RIDs to DCs, which are then assigned during the creation of new Active Directory security principals. It also manages the movement of objects between domains. This role is unique within each domain. See also Flexible Single Master Operational role.


An abbreviation for Remote Installation Services, a group of services that allows an administrator to set up new client computers remotely.

roaming user profile

A user profile that is downloaded to a local computer from a server each time a user logs on and is copied to a server each time a user logs off.


An abbreviation for Read Only Domain Controller, a type of domain controller intended for branch offices scenarios or low security environments. Read Only Domain Controllers store only a non-writeable copy of the Active Directory database.

root hints

A file that contains a list of the DNS namespace root servers. If a DNS server cannot resolve a query then the server uses the root hints to find the proper resolution to the query.

routing table

A table that shows IP destinations and the route that the client must take to be able to reach them.


An abbreviation for Remote Procedure Calls, a transport facility using synchronous transfer for either inter-site or intra-site replication and communication.


An abbreviation for Routing and Remote Access Service, a single integrated service that provides both multiprotocol routing and remote access. RRAS can be used to configure features, such as a VPN gateway, NAT, and local area network routing. See also VPN and NAT.


An abbreviation for Remote System Administration Tools, a downloadable set of software tools used for the remote management of Windows Server environments.


An abbreviation for Resultant Set of Policy, a software tool that allows administrators to see the effect of group policy settings on a targeted user or computer.

Back to top



An abbreviation for System Access Control List, a part of a security descriptor that identifies auditing events for users or groups. See also discretionary access control list.


An abbreviation for Security Accounts Manager, a Windows service that stores and manages user and group account information.


A mechanism that performs the cleanup and removal of stale DNS and WINS records that can accumulate over time. See also WINS.


The structure that defines the object classes and attributes that Active Directory supports.

Schema Master Role

An Active Directory FSMO role that controls all updates and modifications to the schema. This role is unique within a forest. See also Flexible Single Master Operational role.

Schema partition

A directory partition replica that holds a copy of all the class and attributes definitions for the Active Directory that is unique to one forest. Every domain controller in the forest has its own copy of this partition. Every forest has its own unique schema partition.


This is a range of IP address use by a DHCP server to supply IP address to clients.

Secure Channel

The Netlogon service that establishes the secure channel. The Netlogon services must first authenticate with the domain by way of the computer's username and password. Secure Channel provides an encrypted stream of communications between the domain and a computer.


The protection of information and data against unauthorized access.

Security Descriptor

Abbreviated as SD, a set of access-control information, attached to every container and object on the network, which controls the type of access allowed for security principals.

security group

A group that assigns permissions to shared resources, and assigns user rights to security groups in Active Directory.

security principal

An account holder that is automatically assigned a SID for access to resources. A security principal can be a user, group, computer, or service. See also SID.

security template

This is a group of configuration settings that are security related. The security template is a text file stored with the extension .inf You can create a security template from within the Security and Analysis snap-in.


A section of a network that is bounded by bridges, routers or switches where all attached devices share unrestricted layer 2 connectivity.

self-signed certificate

A certificate that is signed by its owner rather than by a recognized certification authority. It is considered an untrusted credential, and is typically only employed on test networks.

SEP File

A file used to generate separator pages for print jobs and to enable the automatic switching to different print languages such as Postscript and PCL.


A computer on a network that processes client requests or provides a service which is utilized by other networks hosts or devices.

Server Core

A type of installation that provides a minimal environment for running specific server roles. A Server Core installation provides a reduced attack surface and is aimed to reduce maintenance and administrative management.

Server Manager

Server Manager is a management tool that allows Administrators to add or remove commonly used roles and features.


A service is a process that is used to support running of applications.

Service Account

The built-in Windows security account that the operating system uses when it runs a service.


An abbreviation for Start Frame Delimiter, a sequence of 8 bits having the bit configuration 10101011 that indicates the start of the Ethernet frame.

shared resource

A device, file, or folder on a computer that can be remotely accessed from other computers on a network as if the resource was on the local machine.


An abbreviation for System Health Agents, the client component that generates a statement of health, containing a description of the health of the client computer, that is used by NAP to validate a client for access.


An abbreviation for System Health Validators, the server components that analyze the statement of health generated by the SHA to create a SoH response used by the NAP health policy server to determine the client's level of access.


An abbreviation for Security Identifiers, a data structure of variable length that identifies user, group, and computer accounts. When an account is created, it is issued a SID.


An attribute of an Active Directory object that stores the former SIDs of migrated accounts that have been allocated new SIDs.


The virtualized partition in which a virtual application is launched.


An abbreviation for System Image Manager, the GUI tool used to create setup answer files for use in unattended windows operating system and applications deployments.

Single Sign On

Abbreviated as SSO, a mechanism whereby a single action of user authentication and authorization can permit a user to access all the resources he has access permission for, without the need to enter multiple passwords.


An abbreviation for Single Instance Store, a technique that allows multiple software images on a RIS server to use less disk space by combining duplicate files. See also RIS.


A set of TCP/IP subnet address ranges that reflect the physical network structure.


An abbreviation for Server Message Block, a protocol developed to facilitate the sharing of files, printers, and other resources on a local network.


An abbreviation for Simple Mail Transfer Protocol, a transport facility that enables data transfer for the transfer of e-mail specific data over a TCP/IP infrastructure.


The abbreviation for Simple Object Access Protocol, a part of a security descriptor that identifies auditing events for users or groups.

soft quota

A disk storage space threshold that if exceeded will send a message to the user or carry out some other preconfigured action. It does not prevent the user from creating additional files after they reach the threshold.


This is the old name of Microsoft Application Virtualization.

Software Update Services

A group of services that allow administrators to download Microsoft updates and hot fixes to a corporate server and distribute them to other servers and client workstations on their network.


An abbreviation for Statement of Health, a file generated by the client's SHA that contains a description of the client machine's health used by NAP to validate a client for access.


The sequencing of print jobs by temporarily storing them in a file or a buffer and sending each to the printer when the printer is able to process it.


An abbreviation for Service Record, a DNS record used to locate a computer hosting a specific service. SRV records are used by computers to locate an Active Directory domain controller.


An abbreviation for Server Side Includes, simple HTML-embedded commands that tell a web server to execute a program or to include data in a HTML document.


An abbreviation for Secure Socket Layer, which is an older cryptographic protocol that provides secure communication between communicating applications and their users across a network. Its successor is TLS.


An abbreviation for Secure Socket Tunneling Protocol. SSL is used to encrypt PPP traffic when using this VPN protocol.

Stability Index

A statistic ranging from one to ten that is a measure of the aggregated failures on a system over a period of time.

Staging Server

A server that is used to test and complete quality analysis on content before it is deployed on a production server.

standalone server

A server that is not integrated into Active Directory, instead maintaining its own user accounts database.

Start menu

A menu in Windows that allows easy access to frequently used files and applications.

Startup key bitlocker

A USB flash drive that stores the encryption and decryption keys for bitlocker. It is used on computers that were not manufactured with TPM version 1.2 of higher. It must be inserted into the drive each time the computer is started.

static content

A static web page that always contains the same information in response to all of the download requests.

Streaming Media Server

A dedicated server outfitted with specialized software that allows the streaming of audio, video, and rich media files out over the Internet.


An entry similar to a subfolder within a registry key that contains either additional subkeys or values.

subnet mask

A screen that differentiates the network ID from the host ID in an IP address. Subnet masks have a similar structure to IP addresses they also consist of four numbers, but each number has a value of either 255 or 0. You use the value 255 to indicate network ID address portions, and the value 0 to indicate host ID address portions. Subnet masks are typically used to divide IP addresses into the primary IP address classes.


A form of centralized log management where registered source computers send events configured events to a central collection computer.

Symmetrical Multiprocessing

Abbreviated to SMP, an architecture that enables the processing of programs by multiple microprocessors that share a common operating system and memory.

System State Backup

A backup in which all of the configuration data in Windows Server 2008 is backed up including the server role data, registry, and Active Directory.


A shared directory that stores a copy of a domain's public files. It is automatically created on all Windows 2000, Windows 2003 and Windows 2008 domain controllers.

Back to top


Task Manager

A Windows monitoring tool that displays information about the programs and processes currently running on a computer as well as statistics for CPU and memory performance.


A bar at the bottom of the desktop that contains icons of programs that automatically load when you start-up a Windows operating system.


An abbreviation for Transmission Control Protocol/Internet Protocol, a standard routable networking protocol stack that provides the technology that dissimilar systems need to connect to each other. It consists of several protocols that function together to allow computers to communicate across large-scale networks, such as the Internet.


Also called TAPI, an application interface that provides interoperability between PCs and telephone equipment, allowing Windows clients to access voice services on a server.

Terminal Services

A Windows service that allows its clients to access Windows features through a server that handles all program execution.

Terminal Services Easy Print

A feature that enables printing from a TS RemoteApp session to a printer that is installed locally.

Terminal Services Gateway

A feature that allows connections to Terminal Services using a secure remote tunnel.

Terminal Services RemoteApp

A feature that integrates applications that are run remotely with a local user's desktop.

Terminal Services Session Broker Load Balancing

A feature that regulates network traffic to re-direct users to terminal servers with the least traffic.


In networking, the property of a resource that defines how many times it may fail on one node before it is failed over to another node.


An abbreviation for Transport Layer Security, a cryptographic protocol that provides secure communication between communicating applications and their users across a network. It is the successor to SSL.


A container where deleted objects from within Active Directory are automatically placed for a period of 180 days. You can use the tombstone to recover deleted objects within the 180 day time period.


In Windows, the relationships that exist among a set of network components. For example, In the Active Directory, the replication topology refers to connections that domain controllers use to replicate information between each other.


An abbreviation for Trusted Platform Module, a secure micro-controller with added cryptographic functionality. It can be used with bitlocker to secure the start-up sequence of a computer.

transitive trust

A two-way trust relationship between domains in a domain tree or forest. In Windows Server 2008, this is the standard trust relationship between domains.

Transport mode

The default mode for IPSec, in which the data packet is encrypted, but the IP header is not. It is used for host-to-host communications, typically from a client to a server.


A group of Active Directory domains in a Windows network that have a common namespace and are joined by a transitive two-way trust relationship. See also forest.


An abbreviation for Terminal Services Access License, a Microsoft license required for every user or device to legally connect to terminal services in Windows Server 2008.


An abbreviation for Terminal Services Connection Authorization Policy, a policy that governs which remote users or computers can connect to a TS Gateway.


An abbreviation for Terminal Services Resource Authorization Policy, a policy that governs which terminal services resources a remote user can access through TS Gateway.

TS Session Broker

A Windows Server 2008 role service that provides load balancing functionality for a Terminal Services server farm.


An abbreviation for Time to Live, this provides a time period in which the data will be considered useful. After this time period has expired the data will be discarded.

Tunnel Mode

An IPSec mode where the entire IP packet, data and the header, is encrypted and/or authenticated. It is used for network-to-network, host-to-network and host-to-host communications over the network.

Back to top



An abbreviation for User Access Control, a feature that ensures all tasks by default is executed with user privileges and you are prompted for permission to execute administrative tasks.


An abbreviation for Universal Group Membership Caching, an Active Directory feature that conserves bandwidth by caching a user's universal group membership locally to minimize queries sent to remote global catalog servers.


An abbreviation for Universal Naming Convention, a method used to describes the location of a network resource. Example \\servername\foldername\filename or resource name.

uninterruptible power supply

Abbreviated to UPS, a device containing a battery that allows a computer to keep running for at least a short time after the primary power source is lost. When the UPS notifies a user of the power loss, the user can save any data he or she is working on and exit the computer before the battery runs out. During a spike or power surge, the UPS intercepts the surge or spike so that it doesn't damage a user's computer.

up-stream server

The server in a WSUS architecture that provides files and/or approval to all downstream servers. The Microsoft update servers on the Internet are the final upstream servers in the architecture. See also WSUS.


An abbreviation for Uniform resource locator, a unique address that is assigned to each domain and resource in order to make them accessible on the Web.

URL authorization

A mechanism used to limit the users who can access a web site or a specific web page by allowing rules to be attached to the web site.

user account

An account that uniquely identifies a user in a network. This type of account includes information such as user name, password, assigned permissions and user rights, and groups to which the user belongs. This account can be stored in Active Directory or on a local computer. See also computer account.

User Mode

Refers to the user mode of a MMC. When you access an MMC in user mode you are not permitted to modify the MMC. User mode can have full access to the functions of the MMC or it has two limited access options. See also MMC.

user policy

This is the part of a group policy object that allows you to define what a user is allowed and not allowed to do.

user profile

A file containing user-specific data that defines a user's working environment. The profile can include desktop settings, application settings, and persistent network connections. Each user's preferences are saved to a user profile that Windows uses to configure the desktop each time the user logs on to the system.

Back to top



An abbreviation for Volume Activation Key, Microsoft's method for automating the activation of software for volume customers while minimizing the risk of piracy. The new keys in Vista and Windows Server 2008 require web activation every 180 days.


An abbreviation for Value Added Network, a private LAN used to allow trading partners to communicate securely and efficiently.


An abbreviation for Virtual hard Drive, a hard drive used by a virtual machine. The size of the VHD depends on the space allocated when the virtual machine was created.


A piece of programming code, usually disguised as something else, that can damage files on a computer or computer components. A virus is often designed so that it is automatically spread to other computer users. A virus can be transmitted as an attachment to an e-mail message, as a download, or via a diskette or CD. Some viruses come into effect as soon as their code is executed, whereas other viruses lie dormant until circumstances cause their code to be executed by the computer.


An abbreviation for Virtual LAN, which works just like a LAN except the network nodes do not have to be within the same geographical region. (Example a LAN would be confined by a building whereas a VLAN could have nodes in a building and other nodes anywhere in the world).


An abbreviation for Virtual Machine Manager, which allows you to manage both virtual and physical servers. VMM also provides a method of rapid deployment for new virtual machines.


An abbreviation for Virtual Private Network, a network that uses tunneling protocols, such as PPTP, SSTP and L2TP to create secure connections across a public network such as the Internet.

Back to top


Wake on LAN

The ability to boot a computer from a network connection.


An abbreviation for Web Administration Service, which is an isolated web management space that ensures that the management space can run despite any error the application may be experiencing.


An abbreviation for Windows Cluster Service, a feature t