Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
• PDC Emulator - This role is the most heavily used of all FSMO roles and has the
widest range of functions. The domain controller that holds the PDC Emulator
role is crucial in a mixed environment where Windows NT 4.0 BDCs are still
present. This is because the PDC Emulator role emulates the functions of a
Windows NT 4.0 PDC. But even if you've migrated all your Windows NT 4.0
domain controllers to Windows 2000 or Windows Server 2003, the domain
controller that holds the PDC Emulator role still has a lot to do. For example, the
PDC Emulator is the root time server for synchronizing the clocks of all Windows
computers in your forest. It's critically important that computer clocks are
synchronized across your forest because if they're out by too much then Kerberos
authentication can fail and users won't be able to log on to the network. Another
function of the PDC Emulator is that it is the domain controller to which all
changes to Group Policy are initially made. For example, if you create a new
Group Policy Object (GPO) then this is first created in the directory database and
within the SYSVOL share on the PDC Emulator, and from there the GPO is
replicated to all other domain controllers in the domain. Finally, all password
changes and account lockout issues are handled by the PDC Emulator to ensure
that password changes are replicated properly and account lockout policy is
effective. So even though the PDC Emulator emulates an NT PDC (which is why
this role is called PDC Emulator), it also does a whole lot of other stuff. In fact,
the PDC Emulator role is the most heavily utilized FSMO role so you should
make sure that the domain controller that holds this role has sufficiently beefy
hardware to handle the load. Similarly, if the PDC Emulator role fails then it can
potentially cause the most problems, so the hardware it runs on should be fault
tolerant and reliable. Finally, every domain has its own PDC Emulator role, so if
you have N domains in your forest then you will have N domain controllers with
the PDC Emulator role as well.
• RID Master - This is another domain-specific FSMO role, that is, every domain
in your forest has exactly one domain controller holding the RID Master role. The
purpose of this role is to replenish the pool of unused relative IDs (RIDs) for the
domain and prevent this pool from becoming exhausted. RIDs are used up
whenever you create a new security principle (user or computer account) because
the SID for the new security principle is constructed by combining the domain
SID with a unique RID taken from the pool. So if you run out of RIDS, you won't
be able to create any new user or computer accounts, and to prevent this from
happening the RID Master monitors the RID pool and generates new RIDs to
replenish it when it falls beneath a certain level.
• Infrastructure Master - This is another domain-specific role and its purpose is to
ensure that cross-domain object references are correctly handled. For example, if
you add a user from one domain to a security group from a different domain, the
Infrastructure Master makes sure this is done properly. As you can guess
however, if your Active Directory deployment has only a single domain, then the
Infrastructure Master role does no work at all, and even in a multi-domain
environment it is rarely used except when complex user administration tasks are
performed, so the machine holding this role doesn't need to have much
horsepower at all.
• Schema Master - While the first three FSMO roles described above are domain-
specific, the Schema Master role and the one following are forest-specific and are
found only in the forest root domain (the first domain you create when you create
a new forest). This means there is one and only one Schema Master in a forest,
and the purpose of this role is to replicate schema changes to all other domain
controllers in the forest. Since the schema of Active Directory is rarely changed
however, the Schema Master role will rarely do any work. Typical scenarios
where this role is used would be when you deploy Exchange Server onto your
network, or when you upgrade domain controllers from Windows 2000 to
Windows Server 2003, as these situations both involve making changes to the
Active Directory schema.
• Domain Naming Master - The other forest-specific FSMO role is the Domain
Naming Master, and this role resides too in the forest root domain. The Domain
Naming Master role processes all changes to the namespace, for example adding
the child domain vancouver.mycompany.com to the forest root domain
mycompany.com requires that this role be available, so you can't add a new child
domain or new domain tree, check to make sure this role is running properly.
To summarize then, the Schema Master and Domain Naming Master roles are found only
in the forest root domain, while the remaining roles are found in each domain of your
forest. Now let's look at best practices for assigning these roles to different domain
controllers in your forest or domain.
• Rule One: In your forest root domain, keep your Schema Master and Domain
Naming Master on the same domain controller to simplify administration of these
roles, and make sure this domain controller contains a copy of the Global Catalog.
This is not a hard-and-fast rule as you can move these roles to different domain
controllers if you prefer, but there's no real gain in doing so and it only
complicates FSMO role management to do so. If for reasons of security policy
however your company decides that the Schema Master role must be fully
segregated from all other roles, then go ahead and move the Domain Naming
Master to a different domain controller that hosts the Global Catalog. Note though
that if you've raised your forest functional level to Windows Server 2003, your
Domain Naming Master role can be on a domain controller that doesn't have the
Global Catalog, but in this case be sure at least to make sure this domain
controller is a direct replication partner with the Schema Master machine.
• Rule Two: In each domain, place the PDC Emulator and RID Master roles on the
same domain controller and make sure the hardware for this machine can handle
the load of these roles and any other duties it has to perform. This domain
controller doesn't have to have the Global Catalog on it, and in general it's best to
move these two roles to a machine that doesn't host the Global Catalog because
this will help balance the load (the Global Catalog is usually heavily used).
• Rule Three: In each domain, make sure that the Infrastructure Master role is not
held by a domain controller that also hosts the Global Catalog, but do make sure
that the Infrastructure Master is a direct replication partner of a domain controller
hosting the Global Catalog that resides in the same site as the Infrastructure
Master. Note however that this rule does have some exceptions, namely that the
Infrastructure Master role can be held by a domain controller hosting the Global
Catalog in two circumstances: when there is only one domain in your forest or
when every single domain controller in your forest also hosts the Global Catalog.
To summarize these three rules then and make them easy to remember:
• Forest root domain - Schema Master and Domain Naming Master on the same
machine, which should also host the Global Catalog.
• Every domain - PDC Emulator and RID Master on the same machine, which
should have beefy hardware to handle the load.
• Every domain - Never place the Infrastructure Master on a machine that hosts the
Global Catalog, unless your forest has only one domain or unless every domain
controller in your forest hosts the Global Catalog.
• a structure supported by Windows® 2000 that lets any object on a network be tracked
and located. Active Directory is the directory service used in Windows 2000 Server and
provides the foundation for Windows 2000 distributed networks.
harcon.ma.cx/Docs/General/AD_GLOSSARY.HTM
• The database that holds information about component locations, users, groups,
passwords, security, and other COM information. Some of this information is currently
stored in the Registry, but will eventually (with Windows 2000) be moved to the Active
Directory.
www.innovatia.com/software/papers/com.htm
• Provides the ability to build applications that give a single point of access to multiple
directories in a network environment, whether those directories are LDAP,NDS,or NTDS
based directories.
www.angelfire.com/ny3/diGi8tech/A.html
• Microsoft's directory database for Windows 2000 networks. Stores information about
resources on the network and provides a means of centrally organizing, managing, and
controlling access to the resources.
www.rlmueller.net/terms.htm
• The directory service environment for Microsoft Windows 2000 (and later) servers. Active
Directory includes enough information about users, groups, organizational units and other
kinds of management domains and administrative information about a network to
represent a complete digital model of the network.
www.netchico.com/support/glossary/a.html
• Active Directory (codename Cascade) is an implementation of LDAP directory services
by Microsoft for use in Windows environments. Active Directory allows administrators to
assign enterprise wide policies, deploy programs to many computers, and apply critical
updates to an entire organization. Active Directory stores information about its users and
can act in a similar manner to a phone book. ...
en.wikipedia.org/wiki/Active_Directory
ABCDEFGHIJKLMNOPQRSTUVWXYZ
A Back to Top
access control entry (ACE) -- each ACE contains a security identifier (SID),
which identifies the principal (user or group) to whom the ACE applies, and
information on what type of access the ACE grants or denies.
access control list (ACL) -- a set of data associated with a file, directory, or
other resource that defines the permissions that users and/or groups have for
accessing it. In the Active Directory service, an ACL is a list of access control
TM
entries (ACEs) stored with the object it protects. In the Windows NT® operating
system, an ACL is stored as a binary value, called a security descriptor.
Active Directory -- a structure supported by Windows® 2000 that lets any object
on a network be tracked and located. Active Directory is the directory service
used in Windows 2000 Server and provides the foundation for Windows 2000
distributed networks.
ADSI provides the means for directory service clients to use one set of interfaces
to communicate with any namespace that provides an ADSI implementation.
ADSI clients gain a simpler access to namespace services by using ADSI in
place of the network-specific application programming interface (API) calls. ADSI
conforms to and supports standard COM features. ADSI also defines interfaces
and objects accessible from automation-compliant languages such as Java,
Visual Basic®, and Visual Basic Scripting Edition (VBScript), as well as from non-
automation-compliant languages such as C and C++, which enhance
performance. In addition, ADSI supplies its own OLE database provider, and so
fully supports any clients already using an OLE database, including those using
ActiveX® technologies.
B Back to Top
In a Windows 2000 domain, backup domain controllers are not required; all
domain controllers are peers, and all can perform maintenance on the directory.
Windows NT 4.0 and Windows NT 3.51 backup domain controllers can
participate in a Windows 2000 domain when it is running in mixed mode. See
also domain controller, primary domain controller.
C Back to Top
container -- a special type of Active Directory object. A container is like other
directory objects in that it has attributes and is part of the Active Directory
namespace. However, unlike other objects, it does not usually represent
something concrete. It is the container for a group of objects and other
containers. See also object.
D Back to Top
database layer -- an architectural layer of Active Directory that isolates the upper
layers of the directory service from the underlying database system by exposing
application programming interfaces (APIs) to the Directory System Agent (DSA)
layer so that no calls are made directly to the Extensible Storage Engine (ESE).
Now James Smith can create new users and groups in Corporate Accounting
and set the passwords on existing users, but he cannot create any other object
classes and he cannot affect users in any other containers (unless, of course, he
is granted that access by ACEs on the other containers).
directory service -- such as Active Directory; provides the methods for storing
directory data and making this data available to network users and
administrators. For example, Active Directory stores information about user
accounts, such as names, passwords, phone numbers, and so on, and enables
other authorized users on the same network to access this information. See also
Active Directory, directory partition.
In Active Directory a single server always holds at least three directory partitions:
The schema
The configuration (replication topology and related metadata)
One or more per-domain directory partitions (subtrees containing the actual
objects in the directory)
distinguished name -- identifies the domain that holds the object as well as the
complete path through the container hierarchy by which the object is reached.
Every object in the Active Directory has a unique distinguished name. A typical
distinguished name might be:
CN=JamesSmith,CN=Users,DC=Microsoft,DC=Com. This distinguished name
identifies the “James Smith” user object in the Microsoft.com domain.
domain local group -- can contain users and global groups from any domain in
the forest, universal groups, and other domain local groups in its own domain. A
domain local group can only be used on ACLs in its own domain. See also
domain, forest.
E Back to Top
Extensible Storage Engine (ESE) -- the Active Directory database engine. ESE
(Esent.dll) is an improved version of the Jet database that is used in Microsoft
Exchange Server versions 4.x and 5.5. It implements a transacted database
system, which means that it uses log files to ensure that committed transactions
are safe.
F Back to Top
forest -- a group of one or more Active Directory trees that trust each other. All
trees in a forest share a common schema, configuration, and global catalog.
When a forest contains multiple trees, the trees do not form a contiguous
namespace. All trees in a given forest trust each other through transitive
bidirectional trust relationships. Unlike a tree, a forest does not need a distinct
name. A forest exists as a set of cross-referenced objects and trust relationships
known to the member trees. Trees in a forest form a hierarchy for the purposes
of trust. See also tree, global catalog.
G Back to Top
global catalog (GC) -- the global catalog contains a partial replica of every
Windows 2000 domain in the directory. The GC lets users and applications find
objects in an Active Directory domain tree given one or more attributes of the
target object. It also contains the schema and configuration of directory partitions.
This means the global catalog holds a replica of every object in the Active
Directory, but with only a small number of their attributes. The attributes in
the global catalog are those most frequently used in search operations (such as
a user’s first and last names, logon names, and so on), and those required to
locate a full replica of the object. The GC allows users to find objects of interest
quickly without knowing what domain holds them and without requiring a
contiguous extended namespace in the enterprise. The global catalog is built
automatically by the Active Directory replication system.
global catalog server -- a Windows 2000 domain controller that holds a copy of
the global catalog for the forest. See also global catalog.
global group -- can appear on ACLs anywhere in the forest and may contain
users and other global groups from its own domain.
group -- see global group, domain local group, universal group, and Group
Policy.
A GPO can be associated with one or more Active Directory containers, such as
a site, domain, or organizational unit. Multiple containers can be associated with
the same GPO, and a single container can have more than one associated GPO.
K Back to Top
L Back to Top
M Back to Top
mixed mode -- allows domain controllers running both Windows 2000 and earlier
versions of Windows NT to co-exist in the domain. In mixed mode, the domain
features from previous versions of Windows NT Server are still enabled, while
some Windows 2000 features are disabled. Windows 2000 Server domains are
installed in mixed mode by default. In mixed mode the domain may have
Windows NT 4.0 backup domain controllers present. Nested groups are not
supported in mixed mode. Compare native mode.
N Back to Top
native mode -- when all the domain controllers in a given domain are running
Windows 2000 Server. This mode allows organizations to take advantage of new
Active Directory features such as Universal groups, nested group membership,
and inter-domain group membership. Compare mixed mode.
P Back to Top
policy -- the set of rules that govern the interaction between a subject and an
object. For example, when an Internet Protocol (IP) security agent (the subject)
starts on a given computer (the object) a policy determines how that computer
will participate in secure IP connections.
public key infrastructure (PKI) -- a policy for establishing a secure method for
exchanging information within an organization, an industry, or a nation. PKI is
also an integrated set of services and administrative tools for creating, deploying,
and managing public-key-based applications. It includes the cryptographic
methods, the use of digital certificates and certificate authorities (CAs), and the
system for managing the process.
R Back to Top
relative distinguished name (RDN) -- the part of the name of an object that is
an attribute of the object itself. The attribute that provides the RDN for an object
is referred to as the naming attribute. See also distinguished name.
S Back to Top
schema -- the definition of an entire database; the universe of objects that can
be stored in the directory is defined in the schema. For each object class, the
schema defines what attributes an instance of the class must have, what
additional attributes it may have, and what object class can be a parent of the
current object base. See also object, attribute.
schema master -- the domain controller assigned to control all updates to the
schema within a forest. At any time, there can be only one schema master in the
forest. See also domain controller, forest, schema.
Sites play a major role in the Active Directory replication service, which
differentiates between replication using a local network connection (intra-site
replication) and replication over a slower wide area network (WAN) link (inter-site
replication). Administrators use the Active Directory Sites and Services Manager
snap-in to administer replication topology for both intra- and inter-site replication.
store -- the physical storage for each Active Directory replica. When an object is
stored in Active Directory, the system will select a copy of the store and write the
object there. The replication system will replicate the object on all other replicas.
The store is implemented using the Extensible Storage Engine (ESE). See also
Extensible Storage Engine.
T Back to Top
transitive trust -- the trust relationship that inherently exists between Windows
2000 domains in a domain tree or forest, or between trees in a forest, or that can
exist between forests. When a domain joins an existing forest or domain tree, a
transitive trust is automatically established. Transitive trusts are always two-way
relationships. This series of trusts, between parent and child domains in a
domain tree and between root domains of domain trees in a forest, allows all
domains in a forest to trust each other for the purposes of authentication. For
example, if domain A trusts domain B and domain B trusts domain C, then
domain A trusts domain C. See also tree, forest.
U Back to Top
universal group -- the simplest form of group. Universal groups can appear in
ACLs anywhere in the forest, and can contain other universal groups, global
groups, and users from anywhere in the forest. Small installations can use
universal groups exclusively and not concern themselves with global and local
groups.
W Back to Top
X Back to Top
ACID - The ACID rules are rules that are met by a well-designed OLTP
system. The ACID acronym stands for Atomic, Consistent, Isolated, and
Durable.
ADO - ActiveX Data Objects. These are COM objects that allow
database access.
ASP - Active Server Pages. This is an HTML web page that is custom-
built in real time. ASP pages can be run as MTS objects. You can use
VBScript inside ASP pages and IIS will parse the VBScript. An ASP
page can load COM-based DLLs. Understanding ASP is the key to
designing web-based COM applications. You can use IISAD to design
ASP pages.
BSTR - Basic String. This is a data type that is stored as a string length
value and a null-terminated character array.
Class Table - A machine-wide table that holds the class factory object
references for every registered CLSID.
DACL - Discretionary Access Control List. This is a list that controls who
can do what with your server objects. An administrator can use
DCOMCNFG to configure the DACL.
DCOM - Distributed COM; COM over a wire; COM between more than
one computer; COM with RPC.
DLL - Dynamic Link Library. COM server DLLs run in the same process
as their clients, unless the DLL is running in a surrogate process.
IUnknown - The COM interface class from which all other interface
classes are derived. This interface allows all COM objects to manage
their own lifetime, i.e., to release themselves from memory when they
are no longer connected to any clients.
OSF - The Open Software Foundation, now called the Open Group. The
group that defined the RPC specification.
Round Trip - When a client passes control to a server object and then
the server passes control back to the client. Round trips are time-
consuming when the client and the server are located in different
processes, and especially when they're located on different machines.
You should design remote interfaces such that round trips are
minimized.
VBX - Visual Basic Extension controls. These are 16-bit reusable Visual
Basic controls that have been superceded by OCXs.
References
• Ted Pattison, "Programming Distributed Applications with COM
and Microsoft Visual Basic 6.0," Microsoft Press, 1998.
• Guy Eddon and Henry Eddon, "Programming Components with
Microsoft Visual Basic 6.0," Microsoft Press, 1998.
• Roman Sorensen, "Inside Microsoft Windows NT Internet
Development," Microsoft Press, 1998.
• Rosemary Rock-Evans, "DCOM Explained," Digital Press, 1998.
On-Line Resources
• Microsoft's COM Page
• The Software Engineering Institute's COM Page
• BYTE Magazine's September 1997 ActiveX Article
Active Directory: The directory service environment for Microsoft Windows 2000 (and
later) servers. Active Directory includes enough information about users, groups,
organizational units and other kinds of management domains and administrative
information about a network to represent a complete digital model of the network.
Address Resolution Protocol (ARP): A protocol in the TCP/IP suite used to associate
logical addresses to physical addresses.
Affiliate: Web site affiliates are what drive Internet
Daemon: A UNIX term for a component of any server program that "listens" to incoming
requests for a specific service across the network; for example, a Telnet server might
include a Telnet daemon, a program that always runs, ready to server Telnet requests; the
same component of an FTP server is called an FTP daemon, and so forth.
Daily backup: Copies all files modified on the day of the backup.
DHCP: "Dynamic Host Configuration Protocol" A network server uses this protocol to
dynamically assign IP addresses and subnet masks to networked computers. The DHCP
server waits for a computer to connect to it then assigns it an IP address from a master list
stored on the server. DHCP helps in setting up large networks since IP addresses don't
have to be manually assigned to each computer on the network. Because of the slick
automation involved with DHCP it is one of the most commonly used networking
protocols.
DNS: "Domain Name System" The primary purpose of DNS is to keep Web surfers sane.
Without DNS, we would have to remember the IP address of every site we wanted to
visit, instead of just the domain name. Can you imagine having to remember
"17.254.3.183" instead of just "apple.com"? While I have some Computer Science friends
who might prefer this, most people have an easier time remembering simple names. The
reason the Domain Name System is used is because Web sites are acutally located by
their IP addresses. For example, when you type in "http://www.adobe.com," the computer
doesn't immediately know that it should look for Adobe's web site. Instead, it sends a
request to the nearest DNS server, which finds the correct IP address for "adobe.com."
Your computer then attempts to connect to the server with that IP number.
Domain: A uniquely named collection of user accounts and resources that share a
common security database.
Domain Name: This is the name that identifies a web site. For example, "microsoft.com"
is the domain name of Microsoft's web site. A single web server can serve web sites for
multiple domain names, but a single domain name can point to only one machine. For
example, Apple Computer has web sites at www.apple.com, www.info.apple.com, and
store.apple.com. Each of these sites could be served on different machines. Then there
are domain names that have been registered, but are not connected to a web server. The
most common reason for this is to have e-mail addresses at a certain domain name
without having to maintain a web site. In these cases, the domain name must be
connected to a machine that is running a mail server.
To give you an idea of how an LDAP directory is organized, here are the different levels
of a simple LDAP tree hierarchy:
Most LDAP connectivity is done behind the scenes so the typical user probably won't
notice it when surfing the web. However, it is a good technology to know about.
Loopback: A special DNS host name that refers to the reserved Class A address
127.0.0.1 used to confirm that a computer's IP configuration works.
FAT32: This term refers to the way Windows stores data on your hard drive. "FAT"
stands for "File Allocation Table," which keeps track of all your files and helps the
computer locate them on the disk. Even if a file gets fragmented (split up into various
areas on the disk) the file allocation table still can keep track of it. FAT32 is an
improvement to the original FAT system since it uses more bits to identify each cluster
on the the disk. This helps the computer locate files easier and allows for smaller clusters,
which improves the efficiency of your hard disk. FAT32 supports up to 2 terabytes of
hard disk storage.
NTFS: "New Technology File System" It is a file system introduced by Microsoft with
Windows NT and is supported by subsequent versions of Windows such as Windows
2000 and Windows XP. (The file system is how the operating system organizes and
accesses files on the hard drive.) NTFS has a number of advantages over the older file
system named FAT, or file allocation table. One major advantage of NTFS is that it
incorporates features to improve reliability. For example, the new technology file system
includes fault tolerance, which repairs hard drive errors without displaying error
messages. It keeps detailed transaction logs, which tracks hard drive errors. This can help
prevent hard disk failure as well as make it possible to recover files if the hard drive does
fail. NTFS also allows permissions (such as read, write, and execute) to be set for
individual directories and files. It even supports spanning volumes which allows
directories of files to be spread across multiple hard drives. The only reason why you
would not want to select NTFS when formatting your hard drive is if you like slow,
outdated technology or you need to run an older operating system such as Windows 95 or
MS-DOS.
SMTP: "Simple Mail Transfer Protocol" This is the protocol used for sending e-mail
over the Internet. Your e-mail client (such as Outlook, Eudora, or Mac OS X Mail) uses
SMTP to send a message to the mail server and the mail server uses SMTP to relay that
message to the correct receiving mail server. Basically SMTP is a set of commands that
authenticate and direct the transfer of electronic mail. When configuring the settings for
your e-mail program you usually need to set the SMTP server to your local Internet
Service Provider's SMTP settings (i.e. "smtp.yourisp.com"). However the incoming mail
server (IMAP or POP3) should be set to your mail account's server (i.e. hotmail.com),
which may be different than the SMTP server
Win32: This is the Windows application programming interface (API) for developing 32-
bit applications. It has been used for Windows 95, Windows 98, Windows NT, and newer
Windows operating systems. This means that if you use Windows 95 or later you can run
32-bit applications on your computer. Win32 is a term that is important to programmers
but is not crucial for the average user to know. Just know that if you have Windows 95 or
later you can run Win32 applications. If you want to learn more about Win32, including a
bunch of technical jargon, you can visit Microsoft's Developer Website for more
information
Win32 Driver Model (WDM): A unified driver architecture that allows a single driver
to be written for both Windows 95 and Windows NT.
Windows: This is the most popular operating system for personal computers. It is
developed and distributed by Microsoft. There are several versions of the Windows
operating system including Windows XP Home and XP Pro. Earlier versions of Windows
include Windows 3.1, 95, 98, ME, and NT. All Windows platforms use a graphical user
interface (GUI), like the Mac OS, and also offer a command-line interface for typing text
commands.