1.1 Glossary

This document uses the following terms:

access control list (ACL): A list of access control entries (ACEs) that collectively describe the security rules for authorizing access to some resource; for example, an object or set of objects.

Active Directory: The Windows implementation of a general-purpose directory service, which uses LDAP as its primary access protocol. Active Directory stores information about a variety of objects in the network such as user accounts, computer accounts, groups, and all related credential information used by Kerberos [MS-KILE]. Active Directory is either deployed as Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS), which are both described in [MS-ADOD]: Active Directory Protocols Overview.

Active Directory domain: A domain hosted on Active Directory. For more information, see [MS-ADTS].

Active Directory domain controller promotion (DCPROMO): The act of causing a server to become a domain controller (DC).

Active Directory forest: See forest.

active refresh: A self-generated DNS query for the DNSKEY records at a trust point, for the purpose of automatically retrieving new trust anchors and removing revoked trust anchors.

aging: A concept in which a DNS server keeps track of time stamps for the last update of individual resource records. Duration from last time stamp to current time is considered as the age of the resource-record and this value is used for scavenging, a process for cleaning out not-recently used records.

application directory partition: An application NC.

ASCII: The American Standard Code for Information Interchange (ASCII) is an 8-bit character-encoding scheme based on the English alphabet. ASCII codes represent text in computers, communications equipment, and other devices that work with text. ASCII refers to a single 8-bit ASCII character or an array of 8-bit ASCII characters with the high bit of each character set to zero.

authentication level: A numeric value indicating the level of authentication or message protection that remote procedure call (RPC) will apply to a specific message exchange. For more information, see [C706] section 13.1.2.1 and [MS-RPCE].

authoritative: A DNS server is authoritative for a portion of the DNS namespace if it hosts a primary or secondary zone for that portion of the DNS namespace.

autocreated zone: A zone that is created automatically by a DNS server, such as 0.in-addr.arpa, 127.in-addr.arpa or 255.in-addr.arpa.

cache: When a DNS server receives information from other servers, it stores the information for a certain amount of time in its own in-memory zones, also referred to as a DNS cache. This improves performance of domain name resolution and reduces DNS-related query traffic. The cache contains only nodes that have unexpired records and expired DNS records that are not-yet-freed.

cache scope: A unique version of a cache zone that can be created inside a DNS server cache. Resource records can then be added (and subsequently managed) in the cache scope. The cache scope behavior is the same as a DNS server cache.

client subnet record: A collection of IPv4 and IPv6 subnets grouped together. Each Client Subnet Record has a unique name.

Coordinated Universal Time (UTC): A high-precision atomic time standard that approximately tracks Universal Time (UT). It is the basis for legal, civil time all over the Earth. Time zones around the world are expressed as positive and negative offsets from UTC. In this role, it is also referred to as Zulu time (Z) and Greenwich Mean Time (GMT). In these specifications, all references to UTC refer to the time at UTC-0 (or GMT).

crossRef object: An object residing in the partitions container of the config NC that describes the properties of a naming context (NC), such as its domain naming service name, operational settings, and so on.

delegation: A name server record set in a parent zone that lists the authoritative name servers for a delegated subzone.

directory server: A persistent storage for DNS zones and records. A DNS server can access DNS data stored in a directory server using the LDAP protocol or a similar directory access mechanism.

directory server security descriptors: The set of security descriptors read from the directory server, encompassing the DNS Server Configuration Access Control List, Zone Access Control List, and the Application Directory Partition Access Control List.

directory service (DS): A service that stores and organizes information about a computer network's users and network shares, and that allows network administrators to manage users' access to the shares. See also Active Directory.

directory-server-integrated: A DNS server is directory-server-integrated if a local directory server such as Active Directory resides in the same machine as the DNS Server.

distinguished name (DN): A name that uniquely identifies an object by using the relative distinguished name (RDN) for the object, and the names of container objects and domains that contain the object. The distinguished name (DN) identifies the object and its location in a tree.

DNS domain partition: An application directory partition stored in the directory server that is replicated to all DNS servers in the domain.

DNS forest partition: An application directory partition stored in the directory server that is replicated to all DNS servers in the forest.

DNS Operations: DNS Query Processing, DNS Zone Transfer, DNS Recursive Query, and DNS Update are collectively called DNS Operations.

DNS policy: A group of processing rules, based on which a DNS Operation is controlled and allowed or denied access. A DNS Policy can be at a server level or at a specific zone. A DNS Policy is specific to a DNS Operation.

DNS policy criteria: A NULL-terminated Unicode string that states one of the processing rules of a DNS Policy.

Domain Name System (DNS): A hierarchical, distributed database that contains mappings of domain names to various types of data, such as IP addresses. DNS enables the location of computers and services by user-friendly names, and it also enables the discovery of other information stored in the database.

dynamic endpoint: A network-specific server address that is requested and assigned at run time. For more information, see [C706].

dynamic update: A mechanism by which updates for DNS records can be sent to the authoritative DNS server for a zone through the DNS protocol.

expired DNS record: A DNS record stored in the cache whose age is greater than the value of its TTL.

forest: In the Active Directory directory service, a forest is a set of naming contexts (NCs) consisting of one schema NC, one config NC, and one or more domain NCs. Because a set of NCs can be arranged into a tree structure, a forest is also a set of one or several trees of NCs.

forwarder: The forwarder is the kernel-mode component of the router that is responsible for forwarding data from one router interface to the others. The forwarder also decides whether a packet is destined for local delivery, whether it is destined to be forwarded out of another interface, or both. There are two kernel-mode forwarders: unicast and multicast.

forwarders: A DNS server that is designated to facilitate forwarding of queries for other DNS servers.

FSMO role: A set of objects that can be updated in only one naming context (NC) replica (the FSMO role owner's replica) at any given time. For more information, see [MS-ADTS] section 3.1.1.1.11. See also FSMO role owner.

FSMO role owner: The domain controller (DC) holding the naming context (NC) replica in which the objects of a FSMO role can be updated.

full zone transfer (AXFR): A DNS protocol mechanism [RFC1035] through which an entire copy of a DNS zone can be transmitted to a remote DNS server.

fully qualified domain name (FQDN): An unambiguous domain name that gives an absolute location in the Domain Name System's (DNS) hierarchy tree, as defined in [RFC1035] section 3.1 and [RFC2181] section 11.

global name zone (GNZ): A zone that provides single-label name resolution for large enterprise networks that do not deploy WINS and where using domain name suffixes to provide single-label name resolution is not practical.

globally unique identifier (GUID): A term used interchangeably with universally unique identifier (UUID) in Microsoft protocol technical documents (TDs). Interchanging the usage of these terms does not imply or require a specific algorithm or mechanism to generate the value. Specifically, the use of this term does not imply or require that the algorithms described in [RFC4122] or [C706] have to be used for generating the GUID. See also universally unique identifier (UUID).

glue record: A record of type A or AAAA included in a zone to specify the IP address of a DNS server used in a delegation. The fully qualified domain name of each glue record will match the fully qualified domain name of an authoritative DNS server found in one of the NS records in the delegation.

incremental zone transfer (IXFR): A DNS protocol mechanism [RFC1995] through which a partial copy of a DNS zone can be transmitted to a remote DNS server. An incremental zone transfer, or IXFR, is represented as a sequence of DNS record changes that can be applied to one image of a zone to synchronize it with another image of a zone.

Interface Definition Language (IDL): The International Standards Organization (ISO) standard language for specifying the interface for remote procedure calls. For more information, see [C706] section 4.

Internet Protocol version 4 (IPv4): An Internet protocol that has 32-bit source and destination addresses. IPv4 is the predecessor of IPv6.

Internet Protocol version 6 (IPv6): A revised version of the Internet Protocol (IP) designed to address growth on the Internet. Improvements include a 128-bit IP address size, expanded routing capabilities, and support for authentication and privacy.

key master: A DNS server that is responsible for generating and maintaining DNSSEC signing keys for one particular zone.

key rollover: The process through which DNSSEC signing keys are updated.

key signing key (KSK): A DNSKEY used to sign only the DNSKEY record set at the root of the zone, as defined in [RFC4641].

lame delegation: A delegation in which none of the name servers listed in the delegation host the delegated subzone or respond to DNS queries.

Lightweight Directory Access Protocol (LDAP): The primary access protocol for Active Directory. Lightweight Directory Access Protocol (LDAP) is an industry-standard protocol, established by the Internet Engineering Task Force (IETF), which allows users to query and update information in a directory service (DS), as described in [MS-ADTS]. The Lightweight Directory Access Protocol can be either version 2 [RFC1777] or version 3 [RFC3377].

local directory server: A directory server instance on the same host as the DNS server.

multizone operation: An operation requested to be performed on a set of zones with one or more particular properties, rather than on a single zone.

multizone operation string: A string indicating a property defining a set of zones on which an operation is to be performed.

naming context root (NC Root): The specific directory object referenced by the naming context dsname.

Network Data Representation (NDR): A specification that defines a mapping from Interface Definition Language (IDL) data types onto octet streams. NDR also refers to the runtime environment that implements the mapping facilities (for example, data provided to NDR). For more information, see [MS-RPCE] and [C706] section 14.

network mask: A bit vector that, when logically AND-ed with an IP address, indicates the subnet to which an IP address belongs. Also known as net mask.

node: An entry identified by name in a DNS zone. A node contains all of the DNS records sets associated with the name.

nonkey master primary server: In a file-backed signed zone, a nonkey master primary is a server that holds the primary copy of the signed zone. A nonkey master primary server can also do signature refreshes and Zone Signing using Zone Signing Keys but cannot generate or manage keys on its own.

NoRefresh interval: If an update which does not change the DNS data for a record set is received within the NoRefresh interval then the DNS server will not update the timestamp on the record. This allows the DNS server to avoid unnecessary updates to the data store.

online signing: The process of signing and maintaining DNSSEC characteristics of a zone.

opnum: An operation number or numeric identifier that is used to identify a specific remote procedure call (RPC) method or a method in an interface. For more information, see [C706] section 12.5.2.12 or [MS-RPCE].

primary DNS server: A DNS server that holds a master authoritative copy of a particular zone's data in local persistent storage.

primary server: In a DHCPv4 server failover configuration, the primary server in the failover relationship is the first server that is used when an attempt is made by a DHCP client to obtain an IP address and options. A server is primary in the context of a subnet. However, a primary server for a given subnet can also be a secondary server for another subnet.

primary zone: A zone for which a master authoritative copy of data is held in persistent local storage or in a locally accessible directory server. A zone stored in a directory server is a primary zone for any DNS server that can retrieve a copy of it from its local directory server.

read-only domain controller (RODC): A domain controller (DC) that does not accept originating updates. Additionally, an RODC does not perform outbound replication. An RODC cannot be the primary domain controller (PDC) for its domain.

refresh interval: If the NoRefresh interval for a record has expired and the DNS server receives a DNS update that does not change the record data then the DNS server will commit a new timestamp to the data store. The combination of NoRefresh and refresh intervals allows a DNS server to maintain a relatively accurate record timestamp without unnecessary updates to the data store.

relative distinguished name (RDN): The name of an object relative to its parent. This is the leftmost attribute-value pair in the distinguished name (DN) of an object. For example, in the DN "cn=Peter Houston, ou=NTDEV, dc=microsoft, dc=com", the RDN is "cn=Peter Houston". For more information, see [RFC2251].

remote procedure call (RPC): A communication protocol used primarily between client and server. The term has three definitions that are often used interchangeably: a runtime environment providing for communication facilities between computers (the RPC runtime); a set of request-and-response message exchanges between computers (the RPC exchange); and the single message from an RPC exchange (the RPC message).  For more information, see [C706].

resource record (RR): A single piece of DNS data. Each resource record consists of a DNS type, a DNS class, a time to live (TTL), and record data (RDATA) appropriate for the resource record's DNS type.

Response Rate Limiting (RRL): A collection of Domain Name System (DNS) server settings that can help mitigate DNS amplification attacks. See [RRL].

root directory system agent-specific entry (rootDSE): The logical root of a directory server, whose distinguished name (DN) is the empty string. In the Lightweight Directory Access Protocol (LDAP), the rootDSE is a nameless entry (a DN with an empty string) containing the configuration status of the server. Access to this entry is typically available to unauthenticated clients. The rootDSE contains attributes that represent the features, capabilities, and extensions provided by the particular server.

root hints: DNS root hints contain host information that is needed to resolve names outside of the authoritative DNS domains. It contains names and addresses of the root DNS servers.

RPC transport: The underlying network services used by the remote procedure call (RPC) runtime for communications between network nodes. For more information, see [C706] section 2.

scavenging: A regularly scheduled process in which the state of database records are changed if they have not been updated within a certain time interval, measured by the process that checks whether current time exceeds the record's time stamp value.

secondary DNS server: A DNS server that holds an authoritative read-only copy of a particular zone's data. The copy is periodically copied from another authoritative DNS server. Each zone can have any number of secondary DNS servers.

secondary zone: A zone for which an authoritative read-only copy of data is hosted by a particular DNS server. The data for a secondary zone is periodically copied from another DNS server that is authoritative for the zone.

secret key transaction authentication (TSIG): An authentication mechanism specified in [RFC2845] for DNS dynamic updates that uses a one-way hashing function to provide a cryptographically secure means of identifying each endpoint.

secure delegation: A delegation in a parent zone (name server record set), along with a signed delegation signer (DS) record set, signifying a delegation to a signed subzone.

secure dynamic update: A modification of the dynamic update mechanism by which updates for DNS records can be sent securely to the authoritative DNS server for a zone through the DNS protocol.

security context: An abstract data structure that contains authorization information for a particular security principal in the form of a Token/Authorization Context (see [MS-DTYP] section 2.5.2). A server uses the authorization information in a security context to check access to requested resources. A security context also contains a key identifier that associates mutually established cryptographic keys, along with other information needed to perform secure communication with another security principal.

security descriptor: A data structure containing the security information associated with a securable object. A security descriptor identifies an object's owner by its security identifier (SID). If access control is configured for the object, its security descriptor contains a discretionary access control list (DACL) with SIDs for the security principals who are allowed or denied access. Applications use this structure to set and query an object's security status. The security descriptor is used to guard access to an object as well as to control which type of auditing takes place when the object is accessed. The security descriptor format is specified in [MS-DTYP] section 2.4.6; a string representation of security descriptors, called SDDL, is specified in [MS-DTYP] section 2.5.1.

security provider: A pluggable security module that is specified by the protocol layer above the remote procedure call (RPC) layer, and will cause the RPC layer to use this module to secure messages in a communication session with the server. The security provider is sometimes referred to as an authentication service. For more information, see [C706] and [MS-RPCE].

security support provider (SSP): A dynamic-link library (DLL) that implements the Security Support Provider Interface (SSPI) by making one or more security packages available to applications. Each security package provides mappings between an application's SSPI function calls and an actual security model's functions. Security packages support security protocols such as Kerberos authentication and NTLM.

Security Support Provider Interface (SSPI): An API that allows connected applications to call one of several security providers to establish authenticated connections and to exchange data securely over those connections. It is equivalent to Generic Security Services (GSS)-API, and the two are on-the-wire compatible.

serial number: A field in the SOA record for a zone. This value is used to compare different versions of zone.

server level policy: A policy can be specified at each scope (subnet) or it can be specified global to the DHCP server. A policy which is global to the DHCP server is referred as a server-level policy and applies to all the scopes configured on the DHCP server.

server scope: A collection of DNS server settings with a unique name. The DNS server behavior is determined by the applied server scope.

signing key descriptor (SKD): A collection of DNSSEC signing key characteristics such as algorithm, key length, and signature validity period that describe how DNSSEC signing keys and corresponding signatures are to be generated and maintained by the DNS server.

single-label name: A domain name consisting of exactly one label [for example contoso. (an absolute name) or contoso (a relative name)]. When written in dotted-notation, a single-label name will contain at most one period (.).

start of authority (SOA): Every zone contains a SOA record as defined in [RFC1035] section 3.3.13 and clarified in [RFC2181] section 7 at the beginning of the zone that provides information relevant for a zone.

stub: Used as specified in [C706] section 2.1.2.2. A stub that is used on the client is called a "client stub", and a stub that is used on the server is called a "server stub".

stub zone: A specialized version of a secondary zone. A stub zone contains only those resource records that are necessary to identify the authoritative DNS server for that zone. A stub zone consists of the zone root SOA resource record, zone root NS resource records, and glue resource records for the zone root SOA and NS records.

time stamp: An integer value representing the number of hours that have elapsed since midnight (00:00:00), January 1, 1601 UTC.

Time-To-Live (TTL): The time duration for which a Server Object is available.

tombstone: An inactive DNS node which is not considered to be part of a DNS zone but has not yet been deleted from the zone database in the directory server. Tombstones can be permanently deleted from the zone once they reach a certain age. Tombstones are not used for DNS zones that are not stored in the directory server. A node is a tombstone if its dnsTombstoned attribute has been set to "TRUE".

trust anchor: A DNSKEY (public key) or DS (public key hash) record that is presumed to be authentic (that is trusted); a DNSKEY or DS record that is in the "TrustAnchors" zone. A DS trust anchor cannot be used in a DNSSEC proof, but it can serve as an authentication of a retrieved DNSKEY record, allowing it to become a DNSKEY trust anchor.

trust point: An FQDN that has one or more trust anchors; a point in the DNS namespace from which a DNSSEC proof can begin, via the presumption of trust anchor authenticity; a node in the "TrustAnchors" zone that contains a DS or DNSKEY record.

Unicode string: A Unicode 8-bit string is an ordered sequence of 8-bit units, a Unicode 16-bit string is an ordered sequence of 16-bit code units, and a Unicode 32-bit string is an ordered sequence of 32-bit code units. In some cases, it could be acceptable not to terminate with a terminating null character. Unless otherwise specified, all Unicode strings follow the UTF-16LE encoding scheme with no Byte Order Mark (BOM).

universally unique identifier (UUID): A 128-bit value. UUIDs can be used for multiple purposes, from tagging objects with an extremely short lifetime, to reliably identifying very persistent objects in cross-process communication such as client and server interfaces, manager entry-point vectors, and RPC objects. UUIDs are highly likely to be unique. UUIDs are also known as globally unique identifiers (GUIDs) and these terms are used interchangeably in the Microsoft protocol technical documents (TDs). Interchanging the usage of these terms does not imply or require a specific algorithm or mechanism to generate the UUID. Specifically, the use of this term does not imply or require that the algorithms described in [RFC4122] or [C706] has to be used for generating the UUID.

User Datagram Protocol (UDP): The connectionless protocol within TCP/IP that corresponds to the transport layer in the ISO/OSI reference model.

UTF-16LE: The Unicode Transformation Format - 16-bit, Little Endian encoding scheme. It is used to encode Unicode characters as a sequence of 16-bit codes, each encoded as two 8-bit bytes with the least-significant byte first.

UTF-8: A byte-oriented standard for encoding Unicode characters, defined in the Unicode standard. Unless specified otherwise, this term refers to the UTF-8 encoding form specified in [UNICODE5.0.0/2007] section 3.9.

virtualization instance: A logical partition in a DNS server, which is capable of independently hosting zones and zone scopes. Same-name zones and zone scopes can be hosted in different virtualization instances.

Windows Internet Name Service (WINS): A name service for the NetBIOS protocol, particularly designed to ease transition to a TCP/IP based network. An implementation of an NBNS server.

Windows Internet Name Service Reverse Lookup (WINS-R): A form of reverse lookup performed by the DNS server using NBSTAT lookups to map IPv4 addresses to single-label names.

zone: A domain namespace is divided up into several sections called zones [RFC1034] and [RFC2181]. A zone represents authority over a portion of the DNS namespace, excluding any subzones that are below delegations.

zone scope: A unique version of a zone that can be created inside an existing zone. Resource records can then be added (and subsequently managed) to the zone scope.

zone signing key (ZSK): A DNSKEY used to sign all of the records in a zone, as defined in [RFC4641].

zone transfer: A DNS protocol mechanism by which a full or partial copy of a DNS zone can be transmitted from one DNS server to another.

MAY, SHOULD, MUST, SHOULD NOT, MUST NOT: These terms (in all caps) are used as defined in [RFC2119]. All statements of optional behavior use either MAY, SHOULD, or SHOULD NOT.