Appendix B: Terms That Are Used in this White Paper

Applies To: Windows Server 2003 with SP1

The following terms are used in this white paper:

  • External trust: A single trust link between two domains that are in separate forests. The external trust establishes nontransitive trust from domain to the other. These trusts have to be explicitly created and maintained by the administrator. The trusts can be one-way or two-way trusts.

  • Internal Trust: A single trust link between two domains in the same forest. The internal trust establishes transitive trust between the two domains. For example, if Domain A trusts Domain B and Domain B trusts Domain C, then Domain A trusts Domain C. These trusts are created automatically when a new domain is added to the forest and are required for the forest to work. These trusts are always two-way trusts.

  • Forest trust: A single trust link between the root domains of two forests. The forest trust establishes transitive trust between all of the domains in each forest. For example, if Forest A trusts Forest B, then all of the domains in Forest A trust all of the domains in Forest B through the forest trust. However, this trust is not transitive across forests. For example, if Forest A trusts Forest B and Forest B trusts Forest C, then Forest A does not automatically trust Forest C. These trusts can be one-way or two-way trusts.

  • Trusted domain object (TDO): An object present in Active Directory that represents the trust between two domains or forests.

  • Forest TDO: An existing trust definition object that has a bit that is set to indicate forest trust.

  • Namespace: A grouping of related names in which names can be used to symbolically represent another type of information (for example, security principals) and for which specific rules are established to determine which names belong in that namespaces. For example, a namespace might be "all names ending with contoso.com except for the names that end with a.contoso.com or b.contoso.com." Forests manage many namespaces that frequently look similar but are used to identify different types of objects, such as user principal names (UPNs), service principal names (SPNs), and domain names.

  • Top-level name (TLN): A name that is used to identify a namespace. For example, corp.fabrikam.com is the TLN that identifies the namespace that contains all of the names under corp.fabrikam.com, such as server.corp.fabrikam.com, server1.corp.fabrikam.com, server2.corp.fabrikam.com, and so on.

  • Top-level name exclusion (TLNEx): A record that excludes a part of the namespace. For example, a TLNEx of test.fabrikam.com on the fabrikam.com TLN specifies that the namespace consists of all of the names that are under fabrikam.com except for the names that are under test.fabrikam.com.

  • Forest trust information (FTInfo): The set of namespaces (identified by their TLNs) that a trusted forest claims to manage, annotated with a field that indicates whether each claim is actually trusted by the trusting forest. FTInfo is stored on the forest TDO and is used for routing authentication and authorization requests to trusted forests.

  • User principal name (UPN): A variation of a users name that looks like an e-mail name, but can be used for logon. The syntax is user_name@string.

  • Implicit UPN: The implicit UPN is always of the user_id@DNS_domain_name.com form. This UPN is always associated with the users account, even if an explicit UPN is not defined.

  • Explicit UPN: The explicit UPN is always of the string@any_string form, where both string and any_string are explicitly defined by the administrator.

  • UPN suffix: A string that indicates the namespace from which a UPN is derived. A UPN suffix includes everything on the right side of the at sign (@) in the full UPN. Everything on the left side of the at sign is considered part of the user name, even if the text contains another at sign. UPN suffixes can be either flat or hierarchical in structure, although they are typically used to identify flat namespaces.

  • Service principal name (SPN): A multicomponent name that is used to identify a service that is associated with a computer account. SPNs are typically used to request Kerberos service tickets. The syntax is service_type/instance_name [:port_number] [/service_name [@domain] ]. For example, host/server.contoso.com, MSSQLSvc/server.contoso.com:1433.

  • SPN suffix: A string that indicates the namespace from which a component of an SPN is derived. An SPN suffix may consist of the trailing substring of the instance_name or service_name component. It may include all of the domain component, except for the at sign (@).

  • Security identifier (SID): A unique identifier that is associated with every security principal, such as S-1-5-123232343434-544. The SID consists of a domain identifier and a relative identifier (RID).