Glossary - Exchange 2000, Windows 2000 And Security Glossary

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.
Updated : June 14, 2001

On This Page

Windows 2000 and Active Directory
Exchange 2000

Windows 2000 and Active Directory

Access Control Entry – ACE

An object such as a user or group that is present on an Access Control List.

Access Control List – ACL

A description of security permissions applied to an object, property, or resource. An ACL normally includes membership (ACEs) and the associated actions or manipulations that each member can perform on the item.

Active Directory

The Windows 2000 directory service. This replaces the Security Accounts Manager (SAM) in Microsoft Windows NT version 4.0. Active Directory consists of a forest, domain(s), organization units, containers, and objects. Different classes of objects can be represented within Active Directory including users, groups, computers, printers, and applications. The use of Active Directory is governed by its schema.

Active Directory Connector – ADC

The service that replicates information between the Exchange Server 5.5 directory and Active Directory. Replicated information includes mailboxes, custom recipients, and distribution lists. The ADC uses Connection Agreements to define individual configurations for replication. Two versions of the ADC exist; one for Windows 2000 and one for Exchange 2000.

Active Directory Migration Tool – ADMT

The Active Directory Migration Tool provides an easy, secure, and fast way to migrate from Windows NT to the Windows 2000 Server Active Directory service. You can also use ADMT to restructure your Windows 2000 Active Directory domains. This tool can help a system administrator diagnose any possible problems before starting migration operations. The task-based wizards will then allow you to migrate users, groups, and computers; set correct file permissions; and migrate Microsoft Exchange Server mailboxes. The tool's reporting feature allows you to assess the impact of the migration, both before and after move operations.

Active Directory Services Interfaces – ADSI

A directory service abstraction interface that allows programming languages that are compatible with the Component Object Model (COM), such as Visual Basic, VBScript, JavaScript, C, and C++ to make common directory calls to an underlying directory service. ADSI providers include Lightweight Directory Access Protocol (LDAP), NDS, Bindery, and Windows NT (SAM). Programmers and system administrators normally use ADSI to automate or script the bulk manipulation of directory entries.


A Microsoft Management Console (MMC) snap-in used to view all objects in the directory (including schema and configuration information), modify objects, and set access control lists on objects.

Collaboration Data Objects (CDO) for Windows 2000

A high-level application programming interface (API) that allows applications to programmatically access Simple Mail Transfer Protocol (SMTP) and Network News Transfer Protocol (NNTP) protocol stacks on a computer running Windows 2000; for example, an automated mailer routine can send Web pages by e-mail which contain reports to employees. CDO for Windows 2000 is included with the Windows 2000 operating system and its services are supplied from the CDOSYS.DLL file.

Connection Agreement – CA

The configuration of information to be replicated using the Active Directory Connector. This configuration information includes the servers that participate in the replication, which object classes (mailbox, custom recipient, distribution list user, contact, and group) to replicate, containers and organizational units to use for object placement, and the activity time schedule.


A non-security principal that represents a user outside of the organization. A contact will generally have an e-mail address, facilitating messaging between the local organization and the remote object. A contact is similar to a custom recipient in Exchange Server 5.5.

Domain controller

A server that can authenticate users for a domain. There must be at least one domain controller in each domain within the forest. Each domain controller holds a complete replica of the domain naming context that the server is in and a complete replica of the configuration and schema naming contexts for the forest. A domain controller can be promoted and demoted through the Dcpromo utility.

Domain mode

An Active Directory domain can be in either mixed mode or native mode. In mixed mode, the domain is restricted to limitations (such as 40,000 objects) imposed by the Windows NT 4.0 domain model. However, Windows 2000 domain controllers and Windows NT 4.0 backup domain controllers can seamlessly co-exist within the domain without problems. Switching to native mode, which is irreversible, allows the directory to scale up to millions of objects and overcome the constraints of the earlier SAM, but requires that all domain controllers be upgraded to Windows 2000. A domain in native mode allows for rich group creation and nesting, which is advantageous to Exchange 2000.

Note that Windows NT 4.0 member servers can still exist within a native-mode domain. Additionally, clients do not have to be upgraded before the domain mode is switched.

Domain Name Services - DNS

A major standards-based protocol that allows clients and servers to resolve names into Internet Protocol (IP) addresses and vice versa. Windows 2000 extends this concept even further by supplying a Dynamic Domain Name System (DDNS) service that enables clients and servers to automatically register themselves in the database without needing administrators to manually define records.

Domain tree

A collection of domains that have a contiguous namespace, such as, and Domains within the forest that do not have the same hierarchical domain name are located in a different domain tree. A disjoint namespace is the term used to describe the relationship between different domain trees in the forest.


See Forest.

Forest (also known as enterprise)

A collection of domains and domain trees. The implicit name of the forest is the name of the first domain installed. All domain controllers within a forest share the same configuration and schema naming contexts. To join an existing forest, the Dcpromo utility is used. The first domain within the forest cannot be removed.

Global Catalog

A server that holds a complete replica of the configuration and schema naming contexts for the forest, a complete replica of the domain naming context in which the server is installed, and a partial replica of all other domains in the forest. The global catalog knows about every object in the forest and has representations for them in its directory, however, it may not know about all attributes (such as job title and physical address) for objects in other domains. The attributes that are tagged for replication to the global catalog are assigned through the Active Directory Schema Manager Microsoft Management Console (MMC) snap-in. There is only one policy for global catalog attribute replication in the forest. A global catalog will listen on port 3268 for LDAP queries (that are global to the forest), and port 389, which standard domain controllers use (for local domain queries).

A domain controller can be made into a global catalog (and vice versa) by selecting or deselecting a check box in the Active Directory Sites and Services MMC snap-in.


An object defined in Active Directory that contains members of other objects such as users, contacts, and possibly other groups. A group may be one of two types, either distribution or security depending on the requirement, and have a scope of either local, domain, or universal. This is similar to a distribution list in Exchange Server 5.5.

Lightweight Directory Access Protocol – LDAP

A standards-based protocol that can be used to interact with conformant directory services. LDAP version 2.0 allows for reading the contents of a directory database, whereas LDAP version 3.0 (defined under RFC2251) allows users and applications to both read and write to a directory database. LDAP was developed by Tim Howes and the University of Michigan.

Naming context

A self-contained section of a directory hierarchy that has its own properties, such as replication configuration and permissions structure. Active Directory includes the domain, configuration, and schema naming contexts. Exchange Server 5.5 also uses naming contexts; Organization, Address Book Views, Site, Configuration, and Schema.


A logical collection of resources that can be managed as a single unit. Within Active Directory, a domain defines a namespace.


The metadata (data about data) that describes the use of objects within a given structure. In Active Directory, the schema governs the type of objects that can exist and the mandatory and optional attributes of each object. Windows 2000 Active Directory has an extensible schema that allows third parties to create their own object classes.

Schemas also exist for other components such as the message transfer agent and information store in Exchange Server.

Security principal

A user who can log on to a domain and have access to network resources. In Active Directory, a user object is a security principal.

A non-security principal is an object represented in Active Directory that cannot access resources within the enterprise.


A collection of IP subnets. All computers that are in the same site have high-speed connectivity—local area network (LAN) speeds—with one another. Unlike an Exchange site, an Active Directory site does not include a unit of namespace; for example, multiple sites may exist within a single domain, and conversely, a single site may span multiple domains.


In Active Directory, this is a security principal (a user who can log on to the domain). A user may have an e-mail address and/or an Exchange mailbox, making the object mail-enabled and/or mailbox-enabled, respectively.

User Principal Name – UPN

A multi-valued attribute of each user object that the system administrator can set. A UPN allows the underlying domain structure and complexity to be hidden from users; for example, although 50 domains may exist within a forest, users would seamlessly log on as if they were in the same domain. For consistency purposes, system administrators can make the UPN and users' SMTP address the same.

A user can log on to Active Directory through a number of different methods:

  1. By specifying the user name and domain name

  2. By using the convention of username@domain-name in the user box

  3. By using his or her UPN, such as

Exchange 2000

ActiveX Data Objects – ADO

A programming layer built on top of OLE DB that allows high-level programming languages such as Visual Basic and VBScript to access an underlying data store through a common query language. In this instance, a data store can be Active Directory, the Exchange 2000 store, or a SQL database.

Active Directory Connector – ADC

The service that replicates information between the Exchange Server 5.5 directory and Active Directory. Replicated objects include mailboxes, custom recipients, distribution lists, and site configuration information. ADC uses Connection Agreements (CAs) to define individual configurations for replication. The Exchange 2000 ADC is also used to allow Exchange 5.x and Exchange 2000 servers to coexist within the same Exchange site.

Note that two versions of the ADC exist; one for Windows 2000 and one for Exchange 2000.

Administration group

A collection of servers running Exchange 2000 that can be administered as a single unit. An administration group can include zero or more policies, routing groups, public folder trees, monitors, servers, conferencing services, and chat networks. When security settings (permissions) are applied to an administration group, all child objects in the DS tree inherit the same Access Control Lists (ACLs) as the administration group node. Note that an administration group does not define the routing topology for messages; this is handled by routing groups.


A nominated server that acts as a message transfer point between Exchange 2000 routing groups. This term can also refer to the computer hosting a directory replication connector.

Collaboration Data Objects 1.21 – CDO 1.21 (Also known as Active Messaging and OLE Messaging)

An application programming interface (API) that allows users and applications to access data objects within a server running Exchange. CDO defines the concept of different object classes including messages (IPM.Note), posts (IPM.Post), and appointments (IPM.Appointment). Message stores and folder hierarchies can also be manipulated through CDO 1.21.

CDO 1.21 is included with Exchange Server 5.5 and its services are supplied from the CDO.DLL file

Collaboration Data Objects (CDO) for Windows 2000

CDO for Windows 2000 is defined in the Windows 2000 section earlier in this document.

Collaboration Data Objects

An Application Programming Interface that is a superset of CDO for Windows 2000. In addition to gaining programmatic access to the Simple Mail Transfer Protocol (SMTP) and Network News Transfer Protocol (NNTP) stacks, CDO for Exchange 2000 provides support for the creation and manipulation of message items, appointments, and contact cards.

(CDO) for Exchange 2000

CDO for Exchange 2000 is included with Exchange 2000 and its services are supplied from the CDOEX.DLL file.

CDO for System Management (formerly known as Exchange Management Objects – EMO)

An API that allows administrators to programmatically access management information on an Exchange 2000 server, including databases and mailboxes. Services are supplied out of EMO.DLL file.

Conferencing Management Service – CMS

The network service that coordinates the booking of virtual resources for online meetings in the Exchange Conference Service. Each site (not domain) normally has an active Conferencing Management Service to allow fast connection for data conferencing users.

Conference Technology Provider – CTP

A provider of data conferencing services such as real-time video, audio, and telephony integration.

Configuration Connection Agreement – ConfigCA

A special Connection Agreement implemented as part of the Active Directory Connector that replicates configuration naming context data from downlevel Exchange 5.x sites to administration groups in Active Directory and vice versa. ConfigCAs work in conjunction with the Site Replication Service.

Connection Agreement

The configuration of information to replicate using the Active Directory Connector. Configuration information includes the servers that participate in the replication; which object classes (mailbox, custom recipient, distribution list and user, contact, and group) to replicate; containers and organization units to use for object placement; and the activity time schedule.

Distributed Authoring and Versioning – DAV (also known as HTTP-DAV and Web-DAV)

An extension to the Hypertext Transfer Protocol 1.1 (HTTP/1.1) that allows for the manipulation (reading and writing) of objects and attributes on a Web server. Exchange 2000 natively supports WebDAV. Although not specifically designed for the purpose, DAV allows for the control of data using a filing system-like protocol. DAV commands include Lock, Unlock, Propfind and Proppatch.


The Exchange 2000 component that provides directory lookup services for components such as Simple Mail Transfer Protocol (SMTP), Message Transfer Agent (MTA), and the store. Client requests use the DSProxy service for directory access.


The Exchange 2000 component that can proxy (and refer) Messaging Application Programming Interface (MAPI) directory service requests from Outlook clients to Active Directory for Address Book lookup and name resolution.



Event sink

A piece of code that is activated by a defined trigger, such as the reception of a new message. The code is normally written in any COM-compatible programming language such as Visual Basic, VBScript, JavaScript, C, or C++. Exchange 2000 supports the following event sinks:

  • Transport

  • Protocol

  • Store

Event sinks on the store can be synchronous (code executes as the event is triggered) or asynchronous (code executes sometime after the event).

Exchange Conferencing Services – ECS

A service that allows users to meet in virtual rooms on a server running Exchange. Exchange Conferencing Services defines the use of a Conferencing Management Service to coordinate the room bookings and a T.120 Multipoint Control Unit (MCU) for the actual connection of clients to a conferencing session.

Exchange Virtual Server – EVS

When clustering, you allocate different resources (such as storage groups) to an EVS. Upon node failure, an EVS can be moved from the failed node to one of the remaining nodes.

EXIPC (formerly known as Epoxy)

A queuing layer that allows the Internet Information Server (IIS) and store processes (Inetinfo.exe and Store.exe) to shuttle data back and forth very quickly. This is required to achieve the best possible performance between the protocols and database services on a server running Exchange 2000. Conventional applications require the processor to switch contexts when transferring data between two processes.

Exchange Server 5.5 incorporated protocols such as Network News Transfer Protocol (NNTP), Post Office Protocol 3 (POP3), and Internet Messaging Access Protocol (IMAP) directly into the Store.exe process, so data transfer was very efficient. The Exchange 2000 architecture separates the protocols from the database for ease of management and to support future architectures.

Extensible Storage Engine – ESE (also known as JET)

Formerly known as Joint Engine Technologies (JET), the ESE is a method that defines a very low-level Application Programming Interface (API) to the underlying database structures in Exchange Server. Other databases, such as the Active Directory database (Ntds.dit), also use ESE. Exchange 2000 uses ESE98, whereas Exchange 5.5 and Active Directory use the older ESE97 interface.

Event Service

A Windows NT service that is installed by Exchange Server 5.5. This service allows programmers to write programs that use Exchange's Event Handler to process events that occur in a Public Folder or Mailbox.


An Exchange 2000 configuration in which clients access a bank of protocol servers (the front-end) for collaboration information, and these in turn, communicate with the data stores on separate servers (the back-end) to retrieve the physical data. A front-end/back-end configuration allows for a scalable, single point of contact for all Exchange-related data.

Hosted organization (also known as virtual server, virtual machine, virtual organization)

A collection of Exchange services including, but not limited to virtual servers (that is, instances of IMAP4, SMTP, POP3, NNTP, HTTP, RVP), storage space, and real-time collaboration facilities that exist to serve the needs of a single company. A hosted organization is normally used by Internet Service Providers to host multiple companies on the same physical computer. However, a hosted organization is not limited to a single server running Exchange 2000.


See Distributed Authoring and Versioning.

Installable File System – IFS

See Web Storage System

Instant Messaging – IM

The Exchange 2000 service that allows for real-time messaging and collaboration between users. Clients generally use the MSN Messenger client to log on to Instant Messaging and subscribe to other users.

Instant Messaging Presence Protocol – IMPP

The standards-based protocol clients use to interact with an Instant Messaging server. IMPP is being developed by leading vendors, including Microsoft and Lotus. The Instant Messaging service in Exchange 2000 uses a Microsoft published protocol called Rendezvous Protocol (RVP) while IMPP is being ratified

Internet Messaging Access Protocol version 4 – IMAP4

A standard-based protocol for accessing mailbox information. IMAP4 is considered to be more advanced than POP3 because it supports basic online capabilities and access to folders other than the Inbox. Exchange Server 5.x and Exchange 2000 both support IMAP4.

Joint Engine Technology – JET

Defines the low-level access to underlying database structures in Exchange Server 4.0 and 5.0. JET was superceded with the Extensible Storage Engine (ESE) in Exchange Server 5.5 and Exchange 2000.

Link State Algorithm – LSA

The algorithm used to propagate routing status information between servers running Exchange 2000. Based on 'Dijkstra's algorithm', link state information is transferred between routing groups using the X-LINK2STATE command verb over Simple Mail Transfer Protocol (SMTP)SMTP and within a routing group using a Transmission Control Protocol (TCP) connection to port 691.

Mail-based replication – MBR

A mechanism to replicate directory information through a messaging transport. This term applies to Exchange 5.x inter-site directory replication, and additionally, Active Directory replication through SMTP.


An instance of a database implemented in Exchange server. A single MDB is normally identified as being public or private depending on the type of data that it stores. A single server running Exchange 2000 can accommodate up to 20 active MDBs.

Message Transfer Agent – MTA

The component in all versions of Exchange Server that transfers messages between servers using the X.400 protocol.

Messaging Application Programming Interface – MAPI

The API that is used by Microsoft messaging applications such as Outlook to access collaboration data. MAPI, or more specifically, MAPI Remote Procedure Calls (RPC), is also used as the transport protocol between Outlook clients and servers running Exchange.


A store that contains metadata such as that used by Internet Information Server IIS to obtain its configuration data. The metabase can be viewed through utilities such as Metaedit.

Metabase update service

A component in Exchange 2000 that reads data from Active Directory and transposes it into the local IIS metabase. The metabase update service allows the administrator to make remote configuration changes to virtual servers without a permanent connection to each system.


Data about data. In relation to Exchange, this term can be used in the context of Active Directory, but can also be used to describe the structure within the store or the MTA.

Mixed-vintage site (also known as "PtOz")

An Exchange 5.x site that also contains servers running Exchange 2000.

Multipoint Control Unit – MCU

A reference to the T.120 protocol that allows clients to connect to data conferencing sessions. MCUs can communicate with each other to transfer conferencing information.

Name Service Provider Interface – NSPI

Part of the DSProxy process that can accept Outlook client directory requests and pass them to an address book provider.

Network News Transfer Protocol – NNTP

A standards-based protocol that includes simple command verbs to transfer USENET messages between clients and servers, and between servers. NNTP uses Transmission Control Protocol/Internet Protocol (TCP/IP) port 119.


An Application Programming Interface (API) that allows low-level programming languages such as C and C++ to access dissimilar data stores through a common query language. OLE DB is seen as the replacement for Open Database Connectivity (ODBC). Data stores such as those in Exchange 2000 and SQL Server allow for OLE DB access, which makes application development easier and faster.

High-level programming languages such as Visual Basic can use ActiveX Data Objects (ADO) to issue queries through OLE DB.

Outlook Web Access

The Web browser interface to Exchange Server mailbox and public folder data. The Outlook Web Access client in Exchange Server 5.x uses Active Server Pages to render collaboration data into HTML, whereas the Outlook Web Access Client in Exchange 2000 uses native access to the store.


A collection of configuration settings that can be applied to objects of the same class in Active Directory. In relation to Exchange 2000, this may include mailbox thresholds and deleted item retention.

Post Office Protocol version 3 – POP3

A standards-based protocol for simple access to Inbox data. All versions of Exchange server except version 4.0 support POP3. POP3 uses TCP/IP port 110 for client to server access.

Protocol farm

A collection of virtual servers that are used as the primary connection point for users in an organization. The farm abstracts the connection protocols from the location of the back-end data, which allows users to access information without having to know its physical location.

Public folder connection agreement – PFCA

A connection agreement in the Active Directory Connector (ADC) that is responsible for replicating Public Folder proxy objects between the Exchange 5.5 directory and Active Directory. These objects are necessary for sending e-mails directly to the folder. Each PFCA is hard-coded to be two-way, and will replicate between the site naming context in Exchange 5.5 and the 'Microsoft Exchange System Objects' container in the Active Directory domain. It is normal to create one PFCA for each Exchange 5.5 site in the organization.

Public folder tree (also known as public folder root and top level hierarchy – TLH)

A collection of public folders created under the same hierarchical namespace. Previous releases of Exchange server used only a single tree (called: All Public Folders), whereas multiple trees can be defined in Exchange 2000. Each tree is a unit of hierarchy replication and can be replicated to one or more Public MDBs. A Public MDB can host only one tree. Messaging Application Programming Interface (MAPI) clients such as Outlook can only access a single tree called All Public Folders, whereas other clients such as a Web browser or a networking client using the Microsoft Web Storage System can access any tree that is defined.

Recipient Update Service – RUS

This is part of the Exchange System Attendant and is responsible for keeping Address Lists up-to-date and creating proxy addresses for users.

Remote Procedure Calls – RPC

A reliable synchronous protocol that transfers data between clients and servers, and between servers. Outlook clients use Messaging Application Programming Interface (MAPI) RPC for accessing mailboxes and public folders, and servers running Exchange 2000 communicate with the Exchange Server 5.x Message Transfer Agent (MTA) using RPC (in a mixed-vintage organization).


In real-time collaboration, a user object in Active Directory that represents a facility. A resource is used by Outlook users for booking meetings and data conferences. Resources are stored in the "System \ Exchange" Organization Unit in the Active Directory.

Resource mailbox

A mailbox that is associated with a resource instead of a user (such as a conference room for reservation purposes). In Exchange 5.5 one user (Windows security principal) may have had several mailbox accounts associated with it – such as a receptionist with a personal mailbox and a conference room mailbox associated. In Exchange 2000, there must be a one-to-one correspondence between a Windows 2000 security principal and a mailbox. Consequently, Exchange 5.5 resource mailboxes must have a Windows 2000 security principal (usually with no logon rights) associated with it, and a resource mailbox owner (with their own personal mailbox) is given delegated access to the resource mailbox.

Routing group

A collection of Servers running Exchange 2000 that can transfer messaging data to one another in a single-hop without going through a bridgehead. In general, Exchange computers within a single routing group have high-bandwidth, resilient network links between each other.

Additionally, a routing group defines the boundary for public folder access.

Routing Group Connector – RGC

A connector in Exchange 2000 that connects routing groups to one another. An RGC is uni-directional and can have separate configuration properties (such as allowable message types over the connection). Routing Group Connectors use the concept of local and remote bridgeheads to dictate which servers in the routing groups can communicate over the link. The underlying message transport for an RGC is either Simple Mail Transfer Protocol (SMTP) or Remote Procedure Calls (RPC) and it uses link state information to route messages efficiently.

Routing Engine

This COM component runs on the Event Service on Microsoft Exchange Server version 5.5. It acts as a simple state engine that executes and tracks multiple process instances within a Microsoft Exchange folder. The state is advanced when events fire within the folder. The routing engine supports the execution of flow-control activities (workflow) directly, and it can call VBScript functions for other activities. Microsoft Exchange Server Routing also works with the Microsoft Transaction Server (MTS)

Routing service

A component in Exchange 2000 that builds link state information.

Routing Objects

Component Object Model (COM) objects that are used to program Exchange's routing engine behavior. These objects allow the creation and manipulation of process maps, which define the series of states to be tracked by the routing engine and the activities to be performed at each step. Routing objects are used primarily in workflow applications.

Rendezvous Protocol (RVP)

(Note that this name is preliminary). The Microsoft published protocol that is used between the MSN Messenger service and the Instant Messaging server that is implemented on Exchange 2000. RVP uses an extended subset of HTTP-DAV with an Extensible Markup Language (XML) payload to send subscriptions and notifications between Instant Messaging clients and servers.


The metadata (data about data) that describes how objects are used within a given structure. In relation to Exchange, this term may be used in the context of Active Directory, but it can also be used to describe the structure within the store or the MTA.

Simple Message Transfer Protocol – SMTP

A major standards-based protocol that allows for the transfer of messages between different messaging servers. SMTP is defined under RFC821 and uses simple command verbs to facilitate message transport over TCP/IP port 25.

Scripting Agent

Exchange Server Scripting Agent lets you use server-side scripts that run as a result of events occurring in Exchange folders. There are four events that can trigger the scripting agent, timer events and actions: posting, editing, receiving or deleting a message.


See Event Sink.

Site Consistency Checker – SCC (also known as the SKCC)

The updated version of the Exchange Server 5.5 Knowledge Consistency Checker (KCC) that works in conjunction with (and is part of) the Exchange Site Replication Service to ensure that knowledge consistency of sites, administration groups and Active Directory domains is maintained when interoperating between Exchange 2000 and Exchange 5.5. When changes are detected in either environment, the SCC may adjust existing configuration connection agreements.

Site Replication Service – SRS

A directory service (similar to the directory used in Exchange Server 5.5) implemented in Exchange 2000 to allow the integration with downstream Exchange 5.x sites using both Remote Procedure Calls (RPC) and mail-based replication. The SRS works in conjunction with the Active Directory Connector to provide replication services from Active Directory to the Exchange 5.x Directory Service.

Storage group

A collection of Exchange databases on a server running Exchange 2000 that share the same Extensible Storage Engine (ESE) instance and transaction log. Individual databases within a storage group can be mounted and dismounted. Each server running Exchange 2000 can architecturally host up to 16 storage groups, although only four can be defined through the Exchange System Manager.


The generic name given to the storage subsystem on a server running Exchange. This term is used interchangeably to describe the Store.exe process and Exchange databases.

System attendant

One of the core Exchange 2000 services that performs miscellaneous functions (usually related to directory information) such as generation of address lists, offline Address Books, and directory lookup facilities.


A standards-based protocol used with Exchange Data Conferencing. Clients such as Microsoft NetMeeting are T.120 compatible.

Virtual root

A shortcut pointer to a physical storage location. Virtual roots are normally defined to allow users and applications to connect with a short "friendly" path instead of navigating a complex hierarchy.

Internet Information Server (IIS) uses the concept of virtual roots to expose resources provided by a web server.

Virtual server

An instance of any service type normally implemented in Internet Information Server (IIS). For example, a virtual server can be an instance of:

  • FTP

  • IMAP

  • Instant Messaging (RVP)

  • HTTP

  • NNTP

  • POP

  • SMTP


See Distributed Authoring and Versioning.

Web Storage System

The database architecture in Exchange 2000. Previous releases of Exchange only exposed data such as public folders through MAPI, whereas Exchange 2000 exposes all of its data through MAPI, HTTP, OLE DB and Win32 layers.

This means that an object stored in a public folder can be retrieved and manipulated through a Web browser or a standard client with a network redirector. The Exchange 2000 store exposes itself to the operating system as an installable filing system, which means that the underlying data can be accessed through a drive letter, and in turn, this drive and its folders can be shared via a universal naming convention (UNC) path to allow other clients to connect to the data.


Asymmetric Cipher

The asymmetric cipher, or public-key cipher, is a means of solving the key management problem of symmetric key encryption. This system involves using two keys, one for encryption, and the other for decryption. One of the keys is called the public key, and the other is called the private key. You can use either the public or private key for encryption, and you use the opposite key for decryption. The public key is placed in a directory, or a location available to other users, but the private key is kept in a secure location, and is available only to the owner of the key pair. By using an asymmetric cipher, the sender and recipient do not need to agree on a key before sending data.

Block Cipher

A block cipher uses shared-key encryption. It takes a message and breaks it into fixed length blocks, and applies the shared-key to each block. In most cases, this block size is 64 bits. The decryption operation takes the encrypted blocks, decrypts each with the same shared-key, and rebuilds the original message.


A variable key length encryption algorithm developed by Carlisle Adams and Stafford Tavares of Northern Telecom Research. This algorithm supports keys 40 to 128 bits long.


A cipher is a mathematical function for encrypting and decrypting data. It is performed on readable clear text data to convert it to an unreadable version called cipher text. There are four types of ciphers: symmetric, asymmetric, block, and stream

Clear item

A message that is not encrypted and is thus readable.

Data Encipherment Standard—(DES/Triple DES)

An IBM symmetric encryption block cipher that uses a fixed 56-bit key. It was defined and endorsed by the U.S. government in 1977 as an official standard and is regarded as the most widely used cryptosystem in the world. A process of enciphering plain text three times with DES and three different potential series of actions. DES-EEE3 (Three DES encrypts with three different keys), DES-EDE3 (three DES operations in the sequence encipher-decipher-encipher with three different keys), or DES-EEE2 and DES-EDE2 (same as the previous formats except that the first and third operations use the same key).


Encryption is the mathematical transformation of data from a readable, clear text form, into an unreadable, cipher text form. The transformation generally requires additional secret information available only to the sender and intended recipient. This information is called a key. The key allows the message to be encrypted by the sender, and decrypted only by the intended recipient using the recipient's private key. Decryption is the opposite of encryption — it transforms unreadable, cipher text data back into readable, clear text form.

Using cryptography provides not only privacy, but it provides an identity every time a user logs on to a network, accesses voice mail, or uses a user name and password to access anything. This identification is called authentication. Authentication is a crucial part of network data security.

As electronic transaction use increases over networks, it is important to sign documents electronically. Cryptography provides the ability to create digital signatures, which in many cases are as legally binding as written ones.

Hash Functions

A hash function provides a means of computing an electronic fingerprint, or checksum of a message. This electronic fingerprint is called the hash of a message.

Hashing secures messages and private key data by using them as elements in a mathematical function that creates a checksum of the package. The algorithm is then used on the receiving end to decrypt the message. Hashes typically compute quickly, and are designed so that every imaginable message can have a unique hash. Hash algorithms include MD-4, MD-5, and SHA-1

MD (Message Digest Algorithm, MD4, MD5)

Developed by Rivest, this takes a message of arbitrary length and produces a 128-bit message digest. The algorithm is optimized for 32-bit machines. Description and source code for MD4 and MD5 can be found as Internet RFCs 1319 – 1321.

Opaque item

Message text that cannot be read without being deciphered, also known as an enciphered item.


A variable key-size block cipher designed by Rivest for RSA Data Security. "RC" stands for "Ron's Code" or "Rivest's Cipher." It is faster than Data Encypherment Standard (DES) and is designed as a "drop-in" replacement for DES.

Because of the variable key size it can be made more secure or less secure than DES against exhaustive key search. The algorithm is confidential and proprietary to RSA Data Security.


A variable key-size stream cipher with byte-oriented operations designed by Rivest for RSA Data Security.


Simple Authentication and Security Layer. Defined in RFC2222.

Secure Hash Algorithm version 1

Published in 1994 as a federal information-processing standard (FIPS PUB 180), this was developed by the National Institute of Standards and Technology (NIST). Similar to the MD4 family of hash functions, this takes a message of less than 264 bits and produces a 160-bit message digest. It is slightly slower than MD5 but is more secure against brute-force collision and inversion attacks.


Secure Sockets Layer version 3.0 is defined in the Internet draft <draft-ietf-tls-ssl-version3-00.txt>.

Stream Cipher

A stream cipher is another use of symmetric encryption. Stream ciphers process small units of plaintext, usually bits. Stream ciphers are much faster than block ciphers, and can be applied to data as it is sent or received. You do not need to know the size of the message, or receive the entire message before beginning to decrypt the message. This is useful for encrypted conversations over a network such as SSL rather than individually encrypted messages.

Symmetric Cipher

Symmetric, or shared-key, ciphers are a form of data encryption in which a single key, known by the sender and the recipient, is used to encrypt and decrypt a message. While this form of encryption is efficient and effective, it is often difficult to share the key between both parties in a secure manner. It requires that the sender communicate the key to the recipient in a secure way.


A standard released by the International Telecommunications Union that specifies the formatting of a mechanism to verify public keys issued to security principals in an organization.