D

data model

Active Directory™ data model is derived from the X.500 data model. The directory holds objects that represent various things described by attributes. The types of objects that can be stored in the directory is defined in the schema. For each object class, the schema defines what attributes an instance of the class must have, what additional attributes it may have, and which object classes can be a parent of the current object class.

delegation

Delegation is one of the most important security features of Active Directory™. Delegation allows a higher administrative authority to grant specific administrative rights for containers and subtrees to individuals and groups. This eliminates the need for domain administrators with sweeping authority over large segments of the user population. Access-control entries (ACEs) can grant specific administrative rights on the objects in a container to a user or group. Rights are granted for specific operations on specific object classes using ACEs in the container's access-control list (ACL).

directory

A directory is an information source used to store information about objects. A telephone directory stores information about telephone subscribers. In a file system, the directory stores information about files. In a distributed computing system or a public computer network like the Internet, there are many objects, such as printers, fax servers, applications, databases, and users.

directory partition

A directory partition (also called a naming context) is a contiguous Active Directory™ subtree that is replicated on one or more Windows 2000 domain controllers (DCs) in a forest. Each DC has a replica of three partitions: the schema partition, the configuration partition, and a domain partition.

directory service (DS)

A directory service differs from a directory in that it is both the directory information source, and the services making the information available and usable to the users.

A directory service is one of the most important components of an extended computer system. Users and administrators frequently do not know the exact name of the objects they are interested in. They may know one of more attributes of the objects and can query the directory to get a list of objects that match the attributes. For example, "find all duplex printers in Building 26." A directory service allows a user to find any object given one of its attributes.

A directory service can:

• Enforce security defined by administrators to keep information safe from intruders
• Distribute a directory across many computers in a network
• Replicate a directory to make it available to more users and resistant to failure
• Partition a directory into multiple stores to allow the storage of a very large numbers of objects

  A directory service is both a management tool and an end user tool. As the number of objects in a network grows, the directory service becomes essential. The directory service is the hub around which a large distributed system turns.

directory system agent (DSA)

The directory system agent is the process that provides access to the physical storage for Active Directory™.

discretionary access-control list (DACL)

A discretionary access-control list is a list that is controlled by the owner of an object and that specifies the access that particular users or groups can have to the object. See access control list.

distinguished name (DN)

A distinguished name is a name that identifies an object by indicating its current location in the directory hierarchy. The name is formed by concatenating the relative distinguished names of the object and each of its ancestors up to the root of the directory partition. An object's distinguished name is unique across the entire directory, but it changes if the object is moved or renamed. For example, "CN=John Smith,CN=Users,DC=Microsoft,DC=com" is the distinguished name of the John Smith object in the Users container on the Microsoft.com domain.

domain

A domain is a single security boundary of a Windows NT/Windows 2000 computer network. On a standalone workstation, the domain is the computer itself. A domain can span more than one physical location. Every domain has its own security policies and security relationships with other domains. When multiple domains are connected by trust relationships and share a common schema, configuration, and global catalog, you have a tree. Multiple trees can be connected together into a forest.

domain component (DC)

A domain component is used in distinguished names (DNs) to indicate an identifier for a part of an object's network domain. For example, /O=Internet/DC=COM/DC=Microsoft/ CN=Users/CN=John Smith contains the Domain Components "COM" and "Microsoft".

domain controller

A domain controller (DC) is a server computer that holds Active Directory™ replicas of the domain partition for the local domain, as well as replicas of the schema and configuration partitions for the enterprise forest. A DC can also hold a replica of the global catalog.

domain local group

A domain local group can be used on access-control lists (ACLs) only in its own domain. A domain local group can contain users and global groups from any domain in the forest, universal groups, and other domain local groups in its own domain.

domain name service (DNS)

A domain name service (DNS) is used in Internet routing to convert an IP address to a friendlier text address.

domain partition

A directory partition that contains the objects, such as users and computers, associated with the local domain. A domain can have multiple DCs; a forest can have multiple domains. Each DC stores a full replica of the domain partition for its local domain, but does not store replicas of the domain partitions for other domains.