Active Directory data model is derived from the X.500 data model. The directory holds
objects that represent various elements described by attributes.
The types of objects stored in the directory are defined in the
schema. For each object class, the schema
defines what attributes an instance of the class must have, what
additional attributes it may have, and which object classes can be
a parent of the current object class.
Delegation is one of the most important security
features of Active Directory. Delegation allows a higher
administrative authority to grant specific administrative rights
for containers and
subtrees to individuals and groups. This eliminates the need for
domain administrators with broad authority over large segments of
users. An access-control entry
can grant specific administrative rights on the objects in a
container to a user or group. Rights are granted for specific
operations on specific object classes using an ACE in the container
A directory is a store for object data. For example, a telephone
directory stores telephone subscriber data. In a file system, the
directory stores file data. In a distributed computing system, like
the Internet, there are many objects, such as printers, fax
servers, applications, databases, and users.
A server, workstation, or application that accesses a directory service, using
the LDAP protocol, to query the directory for object data.
A directory partition, or naming context, is a contiguous
Active Directory subtree replicated on one, or more,
Windows 2000 domain controllers in a forest. By default, each
domain controller has a replica of three partitions: the schema partition, the
partition, and a domain partition.
A service that provides access to data and objects in a
directory or network environment.
The directory system agent is the process that provides
access to the physical storage for Active Directory.
A list controlled by the owner of an object and that specifies
the access that particular users or groups can have to the
A fully-qualified unique name, used to identify an object in a
directory, that specifies the complete path to the object through
the hierarchy of directory containers.
In Active Directory, a collection of computer, user, and group
objects defined by the administrator. These objects share a common
directory database, security policies, and security relationships
with other domains.
A domain component is used to indicate an element of a
distinguished name that is part of a domain. For example, "CN=Jeff
Smith,CN=Users,DC=Fabrikam,DC=com" contains the Domain Components
"Fabrikam" and "com".
A server computer, running on Microsoft Windows NT,
Windows 2000, or Windows Server 2003 family operating
systems that contains a replica of all the objects and object
attributes in the domain.
Also called a forest. A
logical structure formed by combining two or more Microsoft
Windows 2000 or Windows Server 2003 domain trees.
domain local group
A group that can contain
members from any domain, but can be granted permissions only to
resources in its own domain.
Domain Name System
A hierarchical naming system for identifying Transmission
Control Protocol/Internet Protocol (TCP/IP) hosts on the
A directory partition that contains the objects, such as
users and computers, associated with the local domain.
A hierarchical grouping of Microsoft Windows 2000 or
Windows Server 2003 domains.