Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.


access control 

The security mechanism in Windows 2000 that limits access to information, objects, or controls for designated users and groups.

access control entry 

(ACE) An entry in an access control list (ACL) that contains the security identifier (SID) for a user or group and an access mask that allows, denies, or audits operations by users or groups.

access control list 

(ACL) A list of Windows 2000 security principals, user accounts, and groups associated with an object. This list is used to determine whether a user or process has been granted access to an object.

access token 

A data structure containing security information that identifies a user to the security subsystem on a computer running Windows 2000 or Microsoft Windows NT. Access tokens contain a user s security ID, the security IDs for groups that the user belongs to, and a list of the user's privileges on the local computer.


See definition for: access control entry


See definition for: access control list

Active Directory 

The directory service for Windows 2000 Server. It stores information about objects on the network and makes this information available for authorized administrators and users. Active Directory gives network users access to permitted resources anywhere on the network using a single logon process. It provides administrators with an intuitive hierarchical view of the network and a single point of administration for all network objects.

Active Directory Connector 

(ADC) A Windows 2000 service that replicates the Exchange 5.5 directory with Active Directory. This allows administration of a directory from either Active Directory or the Exchange 5.5 directory service.

Active Directory Service Interface 

(ADSI) A set of interfaces that allows programmatic access to underlying directory services through a common command set.

Active Directory Users and Computers 

A Microsoft Management Console (MMC) snap-in that allows administrators to manage objects in Active Directory.

Active Server Pages 

(ASP) A scripting environment that runs ActiveX scripts and ActiveX components on a server. Developers can combine scripts and components to create Web-based applications.


See definition for: Active Directory Connector

address list 

A collection of recipient and other Active Directory objects. Each address list can contain one or more types of objects (for example, users, contacts, groups, public folders, conferencing, and other resources). Exchange 2000 address lists also provide a mechanism to partition mail-enabled objects in Active Directory for the benefit of specific groups of users.

address space 

A set of address information associated with a connector or gateway that identifies certain types of messages. An address space is typically a subset of a complete address.

administrative group 

A collection of Active Directory objects that are grouped together for the purpose of permissions management. An administrative group can contain policies, routing groups, public folder hierarchies, servers, and chat networks. The content of an administrative group depends on choices you make during installation.


See definition for: Active Directory Service Interface

advanced security 

A feature that enables users to digitally sign or encrypt messages. To sign a message, the sender must provide an advanced security password. This guarantees recipients that a digitally signed message is authentic. To decrypt a message, recipients must provide an advanced security password.


See definition for: Active Server Pages

asynchronous event 

An event that occurs after an item is saved or deleted. An asynchronous event does not occur in any particular sequence with other events.


1. Information that indicates that a file is read-only, hidden, system, or compressed, or whether the file has been changed since a backup copy of it was made. 2. In object-oriented software, an individual characteristic of the object.


To track the activities of users by recording selected events in an event log on a server or workstation.


1. Validation of a user's Windows 2000 logon information. 2. The process that verifies the identity of a user trying to establish a connection to a chat server. Chat Service supports authentication of incoming client connections by using cleartext passwords, NTLM protocol, or any authentication method compatible with the Security Support Provider Interface (SSPI).


back-end server 

A server that hosts at least one database that front-end servers connect to when relaying requests from clients.See also: front-end server


The network connection between LAN segments.


A control that allows users and administrators to restrict users with a specific user name or nickname, or users from a specific domain from participating in a chat community.

bastion host 

A computer that must be secure because it is accessible from the Internet and exposed to attack. It acts as a protective relay for mail between the Internet and internal users.

bridgehead server 

A computer that connects servers using the same communications protocols so information can be passed from one server to another. In Exchange 2000, a bridgehead server is a connection point from a routing group to another routing group, remote system, or other external system.



See definition for: certification authority


See definition for: Collaboration Data Objects


An electronic credential that authenticates a user on the Internet and intranets. Certificates ensure the legitimate online transfer of confidential information or other sensitive material by means of public encryption technology. In Exchange, certificates contain information used for digital signatures and encryption that binds the user s public key to the mailbox.

certificate revocation list 

(CRL) The list of users who have had their security tokens revoked, and therefore should not be authenticated as secure.

Certificate Services 

Software services that provide authentication support including secure e-mail, Web-based authentication, and smart card authentication. The services contrast with Internet Authentication Services (IAS), which provide authentication for dial-in users.

certificate template 

A Windows 2000 construct that pre-specifies the format and content of certificates based on their intended usage.See also: public key infrastructure

certificate trust list 

(CTL) A signed list of root certification authority certificates that an administrator considers reputable for designated purposes, such as client authentication or secure e-mail.

certification authority 

(CA) An entity with a server that issues certificates to clients and servers. A certification authority attests to the identification of a user of a public key and can also revoke certificates when the private key associated with the certificate is compromised or when the subject of the certificate leaves an organization.


A channel, also called a chat room, is the Chat Service platform for communication. When users join a channel they can read anything that is typed to the members of the channel.

checkpoint file 

A file that indicates which transactions have been successfully saved to disk. The Edb.chk file points to the log file of all transactions that have been successfully committed to the database file. After all the transactions in a particular log file are committed to the database file, the pointer advances to the log file with the next unwritten entry. Separate checkpoint files are maintained for each storage group.

circular logging 

A method of logging transactions in Microsoft Web Storage System in which earlier log files are overwritten after the transactions in the log file have been committed to the database.


When you connect Exchange 2000 to another messaging system, including an earlier version of Exchange, the two systems coexist. A coexistence period can be short-term (enough time to migrate users from an existing messaging system to Exchange 2000), or it can be long-term (a permanent connection to the messaging system of another department that is not moving to Exchange 2000).

Collaboration Data Objects 

(CDO) An application programming interface that allows users and applications high-level access to data objects within Exchange. CDO defines the concept of different object classes, including messages, posts, appointments, and tasks.

Conference Management Service 

The component of Exchange 2000 Conferencing Server responsible for the reservation and scheduling of online meetings.See also: Exchange 2000 Conferencing Server

conference resource 

An Exchange 2000 mailbox that users invite when scheduling an online meeting.

configuration connection agreement 

A connection agreement that replicates Exchange-specific configuration information between Exchange 5.5 and Active Directory. This type of connection agreement is created automatically the first time an Exchange 2000 server is introduced into an Exchange 5.5 site. It cannot be created manually.See also: connection agreement

connection agreement 

Used by Active Directory Connector (ADC) to control replication between an Exchange 5.x or earlier site and Active Directory. The standard connection agreement replicates Exchange recipient objects (mailboxes, distribution lists, custom recipients, and public folder proxies) and Active Directory objects (users, groups, contacts, and public folder proxies) between the Exchange 5.5 directory and Active Directory. Connection agreements define the server names to be contacted for replication, the object classes to replicate, the target containers, and the replication schedule.See also: configuration connection agreement, primary connection agreement


A control unit through which a user communicates with a computer via a primary input device (keyboard or mouse) and a primary output device (screen). A console integrates all the tools, information, and Web pages an administrator needs to perform specific tasks.


An Active Directory object that represents a user who does not have a Windows logon account or a mailbox. For example, a contact may represent a user outside of the organization. A contact in Windows 2000 is equivalent to a custom recipient in earlier versions of Exchange.See also: custom recipient


An object that contains other objects.

contiguous namespace 

A namespace that contains names that share a common root; for example, and form a contiguous namespace.


See definition for: certificate revocation list


See definition for: certificate trust list

custom address list 

An address list created for users who need a custom view of recipients within an Exchange organization. For example, you can create an address list that includes only employees in North America, or you can create an address list that includes only employees in the marketing department.See also: default address list

custom recipient 

Used in previous versions of Exchange, a custom recipient was a user who was not hosted by Exchange. In Exchange 2000, such users can be added to Active Directory as contacts, Windows 2000 users, or users whose Windows 2000 accounts are disabled. They are mail-enabled, but not mailbox-enabled, because their mailboxes are hosted on another messaging system.See also: contact, mail-enabled


data conference 

Online conferences in which members share data in real time.

Data Conferencing Provider 

A conference technology provider supplied with Exchange 2000 Conferencing Server that permits the hosting of data conferences.

default address list 

An address list that is automatically created based on the values of specific attributes of Active Directory objects. These address lists are available to Exchange users without any administrator action.See also: custom address list


See definition for: Dynamic Host Configuration Protocol

digital signature 

A personal authentication method based on encryption and secret authorization codes that is used for signing electronic documents. Digital signatures not only validate the sender's identity, they ensure the message contents have not been altered. No one can tamper with a digitally signed message without detection. When the sender encrypts a message, only the recipient is able to decrypt it and read its contents.

directory partition 

A self-contained section of a directory hierarchy that can have its own properties, such as replication configuration. Active Directory includes the domain, configuration, and schema directory partitions.See also: naming context

directory replication 

The process of updating the directories of all servers within and between sites.

Distributed Authoring and Versioning 

(DAV) An extension to the Hypertext Transfer Protocol (HTTP) 1.1 protocol that allows for manipulation of objects and attributes. Although not specifically designed for the purpose, DAV allows for the control of a filing system by using HTTP protocol.

distribution list 

A group of recipients created to expedite mass mailing of messages and other information. When e-mail is sent to a distribution list, all members of that list receive a copy of the message.See also: group


See definition for: Domain Name System


A grouping of servers and other network objects under a single name. Domains provide the following benefits:

  • You can group objects into domains to help reflect your company's organization in your computer network.

  • Each domain stores only the information about the objects located in that domain. By partitioning the directory information this way, the Active Directory scales up to as many objects as you need to store information about on your network.

  • Each domain is an administrative boundarythis means that security policies and settings (such as administrative rights, security policies, and security descriptors) do not cross from one domain to another. Note, however, that the domains within a forest are not security boundaries that guarantee isolation from each other. Only the forest constitues a security boundary.

domain controller 

A computer running Windows 2000 Server that manages user access to a network, which includes logging on, authentication, and access to Active Directory and shared resources.

domain controller locator 

An algorithm that runs in the context of the Net Logon service and that finds domain controllers on a Windows 2000 network. Locator can find domain controllers by using either DNS or network basic input/output system (NetBIOS) names, or it can be used on a network where Internet Protocol (IP) transport is not available.

domain local group 

A Windows 2000 group available only in native-mode domains, which can contain members from anywhere in the forest, in trusted forests, or in a trusted pre Windows 2000 domain. Domain local groups can grant permissions only to resources within the domain in which they exist. Typically, domain local groups are used to gather security principals from across the forest to control access to resources within the domain.See also: universal group

Domain Name System 

(DNS) A TCP/IP standard name service that allows clients and servers to resolve names into Internet Protocol (IP) addresses and vice versa. Dynamic DNS in Windows 2000 enables clients and servers to automatically register themselves without the need for administrators to manually define records.

domain naming master 

A domain controller that can add new domains to the forest, remove existing domains from the forest, and add or remove cross-reference objects to external directories. Only the domain naming master can perform those tasks.

dual key pair system 

A security architecture that uses two separate key pairs, each with separate usage restrictions. One key pair is used for message encryption, while the other is used for generating and validating digital signatures. Exchange Key Management Service uses a dual key pair design so it can archive, and provide recovery of, the user s private encryption key. To prevent the possibility of signature forgery by an administrator, the private signature key is kept solely in the possession of the user.

Dynamic Host Configuration Protocol 

(DHCP) A protocol for assigning Internet Protocol (IP) addresses to computers and other devices on a TCP/IP network. Dynamic addressing permits a computer to have a different address each time it logs on to a network.



An advanced security feature that provides confidentiality by allowing users to conceal data. Data is encrypted while it resides on disk and travels over a network.


In the context of programming, the occurrence of some particular action or the occurrence of a change of state that can trigger an event sink. For example, the arrival of a message to the SMTP service is an event that can trigger any number of event sinks.

event sink 

A piece of code that activates upon a defined trigger, such as receiving a new message. The code is normally written in any COM-compatible programming language, such as Microsoft Visual Basic, Microsoft Visual Basic Scripting Edition (VBScript), JavaScript, C or C++. Exchange 2000 supports the transport, protocol, and store event sinks. Event sinks on the store can be synchronous (code executes as the event is triggered) or asynchronous (code executes sometime after the event).

Exchange 2000 Conferencing Server 

An application that provides scalable, reliable online data and video conferences.See also: Conference Management Service

Exchange Administrator 

An Exchange Administration Delegation Wizard role that grants the users permission to fully administer Exchange system information, but not modify permissions.

Exchange Full Administrator 

An Exchange Administration Delegation Wizard role that grants the user permission to fully administer Exchange system information and modify permissions.

Exchange View Only Administrator 

An Exchange Administration Delegation Wizard role that grants the user permission to view Exchange configuration information.

extended Instant Messaging address 

A more fully qualified Instant Messaging address, based on the standard Simple Mail Transfer Protocol (SMTP) format also: Instant Messaging address

Extensible Storage Engine 

(ESE) Formerly known as JET, Extensible Storage Engine is a method that defines a very low-level application programming interface (API) to the underlying database structures in Exchange. Extensible Storage Engine is also used by other databases, such as the Active Directory database. The Extensible Storage Engine uses a balanced-tree (B-tree) structure to store data. Each page in the database file is a node in the B-tree structure. An Extensible Storage Engine database can contain up to 2^32 pages or 16 terabytes (Active Directory uses 8 KB pages and can contain up to 32 terabytes).



The process of taking resources, either individually or in a group, offline on one node and bringing them back online on another node.


A security system intended to protect an organization's network against external threats coming from another network, such as the Internet. A firewall prevents direct communication between an internal network and external computers by routing communication through a proxy server that exists outside the network.


One or more domain trees that do not form a contiguous namespace. Forests allow organizations to group divisions that operate independently but still need to communicate with one another.


See definition for: fully qualified domain name

front-end and back-end architecture 

An Exchange architecture in which clients access a set of protocol servers (the front end) for collaboration information, and these servers in turn request data from separate servers (the back end). A front-end and back-end architecture provides a scalable, single point of contact for all data requests.

front-end server 

A server that receives requests from clients and relays them to the appropriate back-end server.See also: back-end server

full-text indexing 

An indexing feature that allows users to use Microsoft Outlook Advanced Find and custom clients to quickly locate mail messages and documents in Microsoft Web Storage System. Full-text indexing includes message properties, body text, and attachments.

fully qualified domain name 

(FQDN) A DNS domain name that has been stated unambiguously to indicate with certainty its location in the domain namespace tree. Fully qualified domain names differ from relative names in that they typically are stated with a trailing period (.), for example,, to qualify their position to the root of the namespace.



See definition for: global address list

global address list 

(GAL) A list containing all Exchange users, contacts, groups, conferencing resources, and public folders in an organization. This list is retrieved from the global catalog servers in Active Directory and is used by Outlook clients to address messages or find information about recipients within the organization.

global catalog 

A server that holds a complete replica of the configuration and schema naming contexts for the forest, a complete replica of the domain naming context in which the server is installed, and a partial replica of all other domains in the forest. The global catalog is the central repository for information about objects in the forest.

global group 

For Windows 2000 Server, a group that can be used in its own domain, in member servers and in workstations of the domain, and in trusting domains. In all those places a global group can be granted rights and permissions and can become a member of local groups. However, a global group can contain user accounts only from its own domain.


A collection of users, computers, contacts, public folders, and other groups. Groups can be used as a security identifier or as a distribution list. Distribution groups are used only for e-mail. Security groups are used to grant access to resources. A group in Windows 2000 is roughly equivalent to a distribution list in Exchange 5.5.See also: distribution list

Group Policy 

The Windows 2000 Microsoft Management Console (MMC) snap-in used to specify the behavior of users' desktops.See also: Group Policy object

Group Policy object 

A collection of Group Policy settings. Group Policy objects are essentially the documents created by the Group Policy snap-in, a Windows 2000 utility. Group Policy objects are stored at the domain level, and they affect users and computers contained in sites, domains, and organizational units.See also: Group Policy



A fixed-size result obtained by applying a one-way mathematical function (called a hash or message digest function) to an arbitrary amount of data. Given a change in the input data, the resulting hash changes. A hash is also called a message digest.


See definition for: Hypertext Transfer Protocol

Hypertext Transfer Protocol 

(HTTP) A client/server protocol used on the Internet for sending and receiving HTML documents. HTTP is based on the TCP/IP protocol.



See definition for: Installable File System


See definition for: Internet Information Services


See definition for: Internet Message Access Protocol

in-place upgrade 

A method of upgrading to Exchange 2000 Server in which you run Exchange 2000 Setup on a server that is running Exchange Server 5.5 with Service Pack 3.

infrastructure master 

A domain controller that updates cross-domain group-to-user references to reflect a user s new name. The infrastructure master updates these references locally and uses replication to bring all other replicas of the domain up to date. If the infrastructure master is unavailable, these updates are delayed.

Installable File System 

(IFS) A storage technology that functions as a filing system. It makes mailboxes and public folders available as traditional folders and files through standard Microsoft Win32 processes, such as Microsoft Internet Explorer and the command prompt.

Instant Messaging address 

In Instant Messaging, the use of standard Simple Mail Transfer Protocol (SMTP) e-mail addresses as Instant Messaging addresses. Some situations require the use of a more fully qualified Instant Messaging address, referred to as the extended Instant Messaging address.See also: extended Instant Messaging address

Instant Messaging domain 

A DNS name that identifies a logical collection of Instant Messaging user accounts and home servers represented by a virtual server called an Instant Messaging router. It is recommended that Instant Messaging domains have a one-to-one correspondence with e-mail domains.

Instant Messaging home server 

A virtual server that hosts Instant Messaging user accounts and communicates directly with clients to send and deliver instant messages and presence information.

Instant Messaging router 

An Instant Messaging router that receives incoming messages, locates the recipient's home server, and forwards the message to that server for delivery to the recipient.

Instant Messaging Service 

A service that allows for real-time messaging and collaboration between users.

Internet Information Services 

(IIS) Microsoft's Web service for publishing information on an intranet or the Internet, and for building server-based Web applications. Upon installation, Exchange 2000 extends the messaging capabilities of IIS and incorporates them into the Exchange message routing architecture.

Internet Key Exchange 

A protocol that establishes the security association and shared keys necessary for two parties to communicate with Internet Protocol security (IPSec).

Internet locator service 

Active Directory uses DNS as an internet locator service, resolving Active Directory domain, site, and service names to an IP address.

Internet Message Access Protocol 

(IMAP) An Internet messaging protocol that enables a client to access mail on a server rather than downloading it to the user's computer. IMAP is designed for an environment where users log on to the server from a variety of different workstations.

Internet service provider 

(ISP) A business that supplies Internet connectivity services to individuals, businesses, and other organizations.


See definition for: Internet service provider



See definition for: Key Distribution Center

Kerberos V5 

An authentication protocol used to verify user or host identity. Kerberos V5 authentication protocol is the default authentication service for Windows 2000.


A code or number used to digitally sign and encrypt data for security-enabled users. Keys often occur in pairs; for example, a public key and a private key. Public keys are issued by third-party certification authorities (CAs). A certificate binds a user s public key to his or her mailbox.

Key Distribution Center 

(KDC) A network service that supplies session tickets and temporary session keys used in the Kerberos authentication protocol. In Windows 2000, the KDC runs as a privileged process on all domain controllers. The KDC uses Active Directory to manage sensitive account information such as passwords for user accounts.

Key Management server 

The Exchange computer on which the Key Management Service has been installed. There can be one Key Management server per administrative group.

Key Management Service 

An optional Microsoft Exchange 2000 Server component that is installed on a designated server in an administrative group. It provides centralized administration and archival of private keys, and maintains every user s private encryption key in an encrypted database. The keys are used for encrypting e-mail messages and signing messages with digital signatures.

key pair 

Used in message security, a cryptographic key pair consists of a public key and a private key. A public key is associated with a user through a certificate that is published to a location available to anyone. The corresponding private key is stored in a secure location on the user's client computer. Key Management servers generate key pairs for encryption in Exchange 2000, while Microsoft Outlook generates key pairs for digital signatures.See also: public key infrastructure

Knowledge Consistency Checker 

A built-in process that runs on all domain controllers and generates the replication topology for the Active Directory forest. At specified intervals, the Knowledge Consistency Checker reviews and makes modifications to the replication topology to ensure propagation of data either directly or transitively.



See definition for: Lightweight Directory Access Protocol

LDAP Data Interchange Format 

(LDIF) A draft Internet standard for a file format that can be used to perform batch operations on directories that conform to Lightweight Directory Access Protocol (LDAP) standards.


See definition for: LDAP Data Interchange Format

leapfrog upgrade 

A method of upgrading to Exchange 2000 Server in which Exchange 2000 is installed on a new server, users are moved from a server running an earlier version of Exchange to the new server, and Exchange is then installed on the server running the earlier version of Exchange. This move and upgrade cycle repeats until all servers are upgraded.

Lightweight Directory Access Protocol 

(LDAP) A network protocol designed to work on TCP/IP stacks to extract information from a hierarchical directory such as X.500. It is useful for searching through data to find a particular piece of information.

link state algorithm 

The algorithm used to propagate routing status information between Exchange 2000 servers.

link state information 

Information about the state of messaging routes (links) in an Exchange 2000 messaging system derived from the link state algorithm to quickly and frequently calculate the state of system links for up-to-date status about routes. Exchange 2000 servers use link state information to make the best routing choice at the source rather than sending a message down a path where a link is not working. This eliminates message bounce and looping.

link state table 

The database on each Exchange 2000 server used to store link state information propagated by the link state algorithm. The link state table is used to evaluate cost and availability information to determine the most suitable route for a message.

local bridgehead server 

A server within a routing group that handles e-mail flow to and from a connector in that routing group. Routing group connectors can have multiple local bridgehead servers or no local bridgehead server, in which case every server in the routing group acts as a local bridgehead server. SMTP and X.400 connectors must have one, and only one, local bridgehead server.

Local Security Authority 

(LSA) A protected subsystem that authenticates and logs users onto the local system. In addition, the LSA maintains information about all aspects of local security on a system (collectively known as the local security policy), and provides various services for translation between names and identifiers.


See definition for: Local Security Authority


mail exchanger resource record 

(MX resource record) A Domain Name System (DNS) record that specifies a mail exchange server for a DNS domain name. A mail exchange server is a host that either processes or forwards mail for the DNS domain name. Processing the mail means either delivering it to the addressee or passing it to a different type of mail transport. Forwarding the mail means sending it to its final destination server, sending it using Simple Mail Transfer Protocol (SMTP) to another mail exchange server that is closer to the final destination, or queuing it for a specified amount of time.


An Active Directory object that has at least one e-mail address defined. If the user is mail-enabled, the user has an associated e-mail address, but does not have an associated Exchange mailbox.See also: custom recipient


The location where e-mail is delivered. The administrator sets up a mailbox for each user. If a set of personal folders is designated as the e-mail delivery location, e-mail is routed from the mailbox to this location.

mailbox store 

The part of Microsoft Web Storage System that maintains data in mailboxes. A mailbox store consists of a rich-text .edb file, plus a streaming native Internet content .stm file.


An Active Directory object that has an Exchange mailbox associated with it; therefore it can both send and receive messages within the Exchange system.

message transfer agent 

(MTA) An Exchange component that routes messages to other Exchange MTAs, information stores, connectors, and third-party gateways. Also referred to as X.400 protocol in Exchange 2000 System Manager.


A store that contains metadata, such as that used by Internet Information Services (IIS). The metabase can be viewed through utilities such as Metaedit.

Microsoft Management Console 

(MMC) A management display framework that hosts administration tools and applications. Using MMC you can create, save, and open collections of tools and applications. Saved collections of tools and applications are called consoles.

Microsoft Security Service Provider Interface 

(SSPI) The API for obtaining integrated security services for authentication, message integrity, message privacy, and secure quality of service for any distributed application protocol.


The process of moving an existing messaging system to another system by copying the existing mailboxes, messages, and other data, and importing that information into a new messaging system.


See definition for: Multipurpose Internet Mail Extensions

mixed mode 

The default operating mode of Exchange when it is installed. Mixed mode allows Exchange 2000 servers and servers running earlier versions of Exchange to coexist in the same organization. Mixed mode allows interoperability between versions by limiting functionality to features both products share.


See definition for: Microsoft Management Console

moderated channel 

A chat channel that is used for small chat events. A chat user joining a moderated channel cannot post messages to the channel without permissions, but can see messages posted by the designated speakers. A speaker, acting as a channel host, can grant speaking permission to a specific user.

move mailbox upgrade 

A method of upgrading to Exchange 2000 Server in which Exchange 2000 is installed on a new server, users are moved from a server running an earlier version of Exchange to the new server, and the server running the earlier version of Exchange is removed.


See definition for: Message Transfer Agent

Multipurpose Internet Mail Extensions 

(MIME) A standard that enables binary data to be published and read on the Internet. The header of a file with binary data contains the MIME type of the data; this informs client programs (such as Web browsers and mail packages) that they cannot process the data as straight text.



A set of names associated with a domain or forest that identifies objects that belong to the domain or forest. A DNS name creates a namespace; for example,

naming context 

A term used in X.500 and LDAP standards.See also: directory partition

native mode 

An operating mode of Exchange 2000 Server when it is running only Exchange 2000 Server. Servers running earlier versions of Exchange cannot join an organization running in native mode.


See definition for: non-delivery report

Network News Transfer Protocol 

(NNTP) An application protocol used in TCP/IP networks. Enables clients to read and post information to USENET newsgroups.See also: newsgroup

news site 

A collection of related newsgroups.


The flow of items from one USENET site to another.


An Internet discussion group that focuses on a particular category of interest.See also: Network News Transfer Protocol


See definition for: Network News Transfer Protocol

non-delivery report 

(NDR) A notice that a message was not delivered to the recipient.

NTFS file system 

The file system designed for use specifically with the Windows NT operating system. NTFS supports file system recovery and extremely large storage media. It also supports object-oriented applications by treating all files as objects with user-defined and system-defined attributes.

NTLM authentication protocol 

A challenge/response authentication protocol. The NTLM authentication protocol was the default for network authentication in Windows NT version 4.0 and earlier. The protocol continues to be supported in Windows 2000 but is no longer the default.



The basic unit of Active Directory. It is a distinct, named set of attributes that represents something concrete, such as a user, a printer, a computer, or an application.

one-step migration 

One of two migration methods available in Migration Wizard. In a one-step migration, Migration Wizard extracts migration files from another messaging system server and then imports the migration files to Exchange in one operation.See also: two-step migration

operations master 

A domain controller that has been assigned one or more special roles in an Active Directory domain. The domain controllers assigned these roles perform operations that are single-master (not permitted to occur at different places in the network at the same time). Examples of these operations include resource identifier allocation, schema modification, primary domain controller election and certain infrastructure changes. The domain controller that controls the particular operation owns the operations master role for that operation. The ownership of these operations master roles can be transferred to other domain controllers.


A set of computers running Microsoft Exchange Server that provide messaging and collaboration services within a business, an association, or a group.

organizational unit 

An Active Directory container into which you can place objects such as user accounts, groups, computers, printers, applications, file shares, and other organizational units. Organizational units can be used to contain and assign specific permissions to groups of objects, such as users and printers. An organizational unit cannot contain objects from other domains. An organizational unit is the smallest unit you can assign or delegate administrative authority to.

Outlook Web Access 

Outlook Web Access for Microsoft Exchange 2000 Server provides users access to e-mail, personal calendars, group scheduling, contacts, and collaboration applications using a Web browser. It can be used for UNIX and Macintosh users, users without access to a Microsoft Outlook 2000 client, or users connecting from the Internet. Outlook Web Access offers cross-platform client access for roaming users, users with limited hardware resources, and users who do not have access to their own computers.



Authorization for a user to perform an action, such as sending e-mail for another user or posting items in a public folder.


See definition for: public key infrastructure

Point-to-Point Tunneling Protocol 

(PPTP) An encryption protocol used for remote computers to securely access other computer networks across an Internet connection. Often used with Virtual Private Networks (VPNs).


A collection of configuration settings that are applied to one or more Exchange configuration objects. You can use policies to simplify the administration of Exchange. You can define a policy that controls the configuration of some or all settings across a server or other objects in an Exchange organization. After policies are defined and implemented, editing the policy and applying the changes will change the configuration of all servers and objects covered by the policy.


See definition for: Post Office Protocol version 3

Post Office Protocol version 3 

(POP3) An Internet protocol that allows a client to download mail from an inbox on a server to the client computer where messages are managed. This protocol works well for computers that are unable to maintain a continuous connection to a server.


See definition for: Point-to-Point Tunneling Protocol

presence information 

In Instant Messaging, the information visible to users that shows the online status of contacts (online, busy, away, and so on).

primary connection agreement 

A connection agreement that matches objects that exist, and creates new objects that did not exist.See also: connection agreement

primary domain controller emulator master 

The domain controller assigned to act as a Microsoft Windows NT primary domain controller (also known as PDC) to service network clients that do not have Active Directory client software installed, and to replicate directory changes to any Windows NT backup domain controllers (also known as BDCs) in the domain. For a Windows 2000 domain operating in native mode, the primary domain controller emulator master receives preferential replication of password changes performed by other domain controllers in the domain and handles any password authentication requests that fail at the local domain controller. At any time, there can be only one primary domain controller emulator in a particular domain.

proxy server 

A firewall component that manages Internet traffic to and from a LAN and can provide other features, such as document caching and access control.

public folder 

A folder that coworkers can use to share a wide range of information, such as project and work information, discussions about a general subject, and classified ads. Access permissions determine who can view and use the folder. Public folders are stored on computers running Exchange.

public folder hierarchy 

A tree or hierarchy of public folders with a single public folder store.

public folder replication 

The process of keeping copies of public folders on other servers up to date and synchronized with each other.

public folder store 

The part of Microsoft Web Storage System that maintains information in public folders. A public folder store consists of a rich-text .edb file, plus a streaming native Internet content .stm file.

public key infrastructure 

(PKI) The laws, policies, standards, and software that regulate or manipulate certificates and public and private keys. In practice, it is a system of digital certificates, certification authorities, and other registration authorities that verify the validity of each party involved in an electronic transaction. Exchange Key Management Service (KMS) works with Windows 2000 Certificate Services to provide a PKI for Exchange organizations. Through a third-party certification authority, a Windows 2000 Certificate Services server may be part of a larger PKI that extends beyond an organization. Certificate Services issues X.509 version 3 certificates that bind a user s identity, such as an e-mail address and distinguished name, to their public keys. KMS maintains an encrypted database of the corresponding private encryption keys.See also: certificate template, key pair



See definition for: redundant array of independent disks


An Active Directory object that is mail-enabled, mailbox-enabled, or that can receive e-mail. A recipient is an object within Active Directory that can take advantage of Exchange functionality.

recipient policy 

Policies that are applied to mail-enabled objects to generate e-mail addresses. They can be defined to apply to thousands of users, groups, and contacts in Active Directory by using a Lightweight Directory Access Protocol (LDAP) query interface in a single operation.

Recipient Update Service 

An Exchange 2000 service that updates the recipient objects within a domain with specific types of information. You can schedule appropriate intervals to update the recipient objects. For example, this service updates recipient objects with address list membership and e-mail addresses at intervals scheduled by the administrator.

redundant array of independent disks 

(RAID) A mechanism for storing identical data on multiple disks for redundancy, improved performance, and increased mean time between failures (MTBF). RAID provides fault tolerance and appears to the operating system as a single logical drive.

remote bridgehead server 

A server that handles e-mail flow to and from a routing group connector in a different routing group.

remote procedure call 

(RPC) A routine that transfers functions and data among computers on a network.


A copy of a public folder that contains all of the folder's contents, permissions, and design elements, such as forms behavior and views. Replicas are useful for distributing user load on servers, distributing public folders geographically, and for backing up public folder data.


See definition for: directory replication

reverse proxy server 

A reverse proxy server is similar to a regular proxy server used for outbound network traffic except that it relays connection requests for inbound network traffic.

routing group 

A collection of Exchange servers that have full-time, reliable connections. Messages sent between any two servers within a routing group go directly from source to destination. Similar to administrative groups, routing groups are optional and are not visible in System Manager unless they are enabled.

routing group bridgehead server 

A server within a routing group that exchanges directory updates with a server in another routing group.

routing group connector 

A connector that specifies the connection of a local routing group to a server in a remote routing group. It also specifies the local bridgehead server, if any, and the connection cost, schedule, and other configuration properties.


See definition for: remote procedure call

RSA cryptographic algorithms 

A widely used set of public key algorithms that are available from RSA Data Security, Inc. The RSA cryptographic algorithms are supported by the Microsoft Base Cryptographic Service Provider and the Microsoft Enhanced Cryptographic Service Provider.



A logical model for data; an organizational framework. Schema defines the universe of objects that can be stored in Active Directory. For each object class, the schema defines what attributes an instance of the class must have, what additional attributes it can have, and what object class can be a parent of the current object class.

schema master 

The domain controller that performs write operations to the directory schema. Schema updates are replicated from the schema master to all other domain controllers in the forest. Only the schema master domain controller can perform this task.

Secure Sockets Layer 

(SSL) A protocol designed to establish a secure communications channel to prevent the interception of critical information, such as credit card numbers.

security association 

A set of parameters that defines the services and mechanisms necessary to protect Internet Protocol security (IPSec) communications.

security descriptor 

In Windows 2000, it is possible to set security for objects because every object has a security descriptor. The security descriptor is where the security settings for the object are stored. A security descriptor consists of the security identifier (SID) of the object owner, a group SID used by the Portable Operating System Interface (POSIX) subsystem and Services for Macintosh, a discretionary access control list (DACL), and a system access control list (SACL).

security identifier 

(SID) A data structure of variable length that uniquely identifies user, group, service, and computer accounts within a forest. Every account is issued a SID when the account is first created. Access control mechanisms in Windows 2000 identify security principals by SID rather than by name.

security subsystem 

See definition for: Local Security Authority

server cluster 

A group of independent computers that work together to run a common set of applications. The computers are physically connected by cables and programmatically connected by cluster software. These connections allow the computers to use problem-solving features, such as load balancing, while appearing to the user and applications as a single system.


See definition for: security identifier

Simple Mail Transfer Protocol 

(SMTP) The standard protocol for Internet mail. SMTP transfers mail from server to server and from mail system to mail system. In Exchange 2000 Server, SMTP is the native transport protocol.


In Windows 2000, one or more reliable and fast TCP/IP subnets. Setting up Windows 2000 sites allows you to configure Active Directory access and a replication topology to take advantage of the physical network.

site (in earlier versions of Exchange) 

A group of servers (usually in the same geographic location) that share the same directory information and can communicate over high-bandwidth, permanent, and synchronous connections.

site link 

An Active Directory object that represents a set of sites that can communicate at uniform cost. For Internet Protocol (IP) transport, a typical site link connects just two sites and corresponds to an actual WAN link. An IP site link connecting more than two sites might correspond to an ATM backbone connecting more than two clusters of buildings on a large campus, or several offices in a large metropolitan area connected by leased lines and IP routers.

Site Replication Service 

A directory service (similar to the directory used in Exchange Server 5.5) implemented in Exchange 2000 to allow integration with Exchange 5.x sites that use both remote procedure call (RPC) and mail-based replication. Site Replication Service works with Active Directory Connector (ADC) to provide replication services from Active Directory to the Exchange 5.x Directory Service.

smart host 

A designated server through which Exchange routes all outgoing messages. The smart host then makes the remote connection. If a smart host is designated, the Exchange server only needs to transmit to the smart host, instead of repeatedly contacting the domain until a connection is made. Also known as a relay host.


Software that makes up the smallest unit of a Microsoft Management Console (MMC) extension. One snap-in represents one unit of management behavior.


See definition for: Secure Sockets Layer


See definition for: Microsoft Security Service Provider Interface

storage group 

A collection of mailbox stores and public folder stores that share a set of transaction log files. Exchange manages each storage group with a separate server process.

system policies 

Policies that apply to server-side objects, such as mailbox stores, public folder stores, and servers.


TCP/IP filtering 

A feature of Windows 2000 TCP/IP that allows you to specify exactly which types of incoming non-transit IP traffic are processed for each IP interface.


See definition for: Transport Layer Security


A random character string given to users to enable advanced security for them.

transaction log file 

A file that maintains a record of every message stored in a storage group and provides fault tolerance in the event that a database must be restored.

transitive trust relationship 

The trust relationship that inherently exists between Windows 2000 domains in a domain tree or forest, or between trees in a forest, or between forests. When a domain joins an existing forest or domain tree, a transitive trust is automatically established. Windows 2000 transitive trusts are always two-way relationships.

Transport Layer Security 

(TLS) A generic encryption technology similar to Secure Sockets Layering (SSL). Like SSL, TLS encrypts information over the wire between a client and a server to prevent packet-sniffing and other attempted security breaches. In Exchange, TLS is used by SMTP virtual servers. While authentication prevents the server from unauthorized access, TLS encryption protects the information it sends and receives.


Also known as a directory hierarchy. A hierarchical arrangement of one or more Windows 2000 domains that share a common naming structure. End points on the tree are usually objects. Nodes in the tree, or points at which the tree branches, are containers that hold a group of objects or other containers. A tree shows how objects are related to one another.

trust relationship 

The relationship between two domains that makes it possible for a user in one domain to access resources in another domain.

two-step migration 

One of two migration methods available in Migration Wizard. In a two-step migration, first you extract migration files from another messaging system server and, if necessary, review or edit the migration files. Then you import the migration files to Exchange.See also: one-step migration


universal group 

A Windows 2000 group available only in native mode that is valid anywhere in a forest. A universal group appears in the global catalog but contains primarily global groups from domains in a forest. This is the simplest form of group and can contain other universal groups, global groups, and users.See also: domain local group


An Active Directory object that has a Windows security account and a password. A user is the only Active Directory object that can have a mailbox associated with it. A user in Windows 2000 is the equivalent of a mailbox in earlier versions of Exchange.


virtual root 

A mapping between a specific path or name and a physical storage location, be it a local file directory network share or redirection to another URL. For Hypertext Transfer Protocol (HTTP), a virtual root defines a mapping between a URL path and a physical storage location. For Network News Transfer Protocol (NNTP), a virtual root defines a mapping between a news group name and a physical storage location.

virtual server 

A collection of services that appears to clients as a physical server. It is an instance of a protocol service (for example, SMTP) with a defined set of Internet Protocol (IP) address/port combinations and an independent collection of configuration properties. A virtual server typically includes all the resources necessary to run a particular application, including a network name resource and an IP address resource.


Web Distributed Authoring and Versioning 

(WebDAV) An extension of Hypertext Transfer Protocol (HTTP) 1.1 that allows clients to perform remote Web content authoring. Content that is stored on a server can be accessed by a client through HTTP by using WebDAV extensions. The client can perform tasks provided by HTTP, including reading e-mail and documents. If the client also supports WebDAV, the client can manipulate mail, change calendar appointments, modify and create new documents on the Exchange 2000 server, and create Web-based forms. WebDAV uses Extensible Markup Language (XML) as the format for transmitting data elements.

Web Storage System 

A storage platform that provides a single repository for managing multiple types of unstructured information within one infrastructure. Microsoft Web Storage System combines the features and functionality of the file system, the Web, and a collaboration server (such as Exchange Server) through a single, URL-addressable location for storing, accessing, and managing information, as well as building and running applications.


See definition for: Web Distributed Authoring and Versioning


X.400 Connector 

A Microsoft Exchange Server component that is integrated with the message transfer agent (MTA) and can be configured to connect routing groups within Exchange, or to route messages to other X.400 systems. When handling communication between Exchange and other X.400 systems, it maps addresses and converts Exchange messages to native X.400 messages and vice versa.



In a DNS database, a zone is a contiguous portion of the DNS tree that is administered as a single separate entity by a DNS server. The zone contains resource records for all the names within the zone.