This week, I present the fourth in an occasional series of Windows 2000 Ready columns that I'll devote to defining new Windows 2000 (Win2K) terms and concepts. With this series, I'll be compiling a Win2K glossary for the Windows NT Magazine Web site. If you'd like me to address any particular Win2K topics, acronyms, or concepts, email me at

Active Directory Service Interface (ADSI) defines a set of COM interfaces that let directory service client applications access network directory services such as Active Directory (AD). With ADSI, clients can use one set of interfaces to communicate with any namespace that supports ADSI implementation. Instead of making network-specific API calls, clients can take advantage of ADSI to access namespace services. In addition to standard COM features, ADSI supports Java, Visual Basic (VB), VBScript, C, C++, and ActiveX technology.

An attribute is a characteristic or property of an AD object. Attribute values define all AD objects. For example, a user object's attributes (e.g., first name, last name, phone number) define the user object. The schema defines the attributes. You can apply one attribute definition to several different classes because the schema defines attributes and classes separately. For example, an attribute named location can apply to two different classes: printers and computers.

A Certificate Authority (CA) is a service that issues digital certificates to individuals, computers, and organizations. A CA can be either one that you create within your organization by installing Win2K Certificate Services or a third-party CA such as VeriSign. A CA is responsible for publishing a Certification Revocation List (CRL). A root CA, also known as the root authority, is the most trusted CA in an organization. Typically, organizations use root CAs only to issue certificates to subordinate CAs, which are CAs that a root CA or another subordinate CA has certified. Generally, subordinate CAs issue certificates for secure email, smart card authentication, and other authentications. A root CA and subordinate CAs form a certification hierarchy.

A forest is a collection of one or more AD trees that connect through transitive bidirectional Kerberos trust relationships. Trees in a forest share several things, including a common schema, a global catalog, and certain configuration information, but they don't form a contiguous namespace. With one logon, users can access resources in any domain in a forest because of transitive trusts. Only transitive trusts exist between Win2K domains in the same forest; you can't create nontransitive trusts between Win2K domains in the same forest. However, the only trust you can create between two forests is a nontransitive trust. Throughout a forest, you can have only one schema master domain controller, which handles updates and changes to schema, and one domain naming master, which handles addition or removal of domains in the forest.

Group Policy
A Group Policy is a policy that an administrator applies to a group of users and computers within an organizational unit (OU). A group policy object (GPO) is a collection of such policies. Group Policies in Win2K take the NT 4.0 system policy concept to the next level: You can apply Registry-based changes, as you could with NT system policies, but Group Policies also let you perform various tasks, including deploying applications on client desktops, configuring startup-shutdown and logon-logoff scripts, and enforcing domain security. Although Win2K's Group Policies replace any NT system policies you created with System Policy Editor (SPE), Win2K still supports system policies. By default, a Group Policy updates every 5 minutes on domain controllers and every 90 minutes on clients, with a random offset of 0 to 30 minutes.

Kerberos V5 Authentication
Kerberos V5, the primary security protocol that Win2K uses for authentication, uses encrypted authentication instead of sending clear-text passwords over the wire. Kerberos refers to several things: Kerberos is the Authentication Service (AS), the protocol that AS uses, and the code that implements AS. Kerberos V5 authentication issues tickets for accessing services on the network. The Kerberos protocol consists of several subprotocols and can operate across domains. The Kerberos V5 authentication service, Key Distribution Center (KDC), runs as a service on each domain controller.

Transitive Trust
A transitive trust is a trust relationship that exists by default between domains in a Win2K tree or forest. Transitive trusts also exist inherently between trees in a forest. With transitive behavior, if domain X trusts domain Y, and domain Y trusts domain Z, then domain X also trusts domain Z. When a Win2K domain joins an existing tree, a two-way transitive trust establishes automatically. In NT, two-way trusts are really two one-way trusts that establish one at a time. The transitive trusts in Win2K are bidirectional and allow authentication and access to resources all across a forest.