Access Token

When a user is authenticated, the Local Security Authority (LSA) creates an access token, which in this case is a primary access token for that user. An access token contains a security identifier (SID) for the user, SIDs for the groups to which the user belongs, and the user’s privileges. In Domain Services for Windows (DSfW), a user's SID and group membership are stored in eDirectory.

When the user logs in to a Windows workstation in a DSfW domain, the Workstation receives this security information from the DSfW domain controller and associates it with the user's login session.

Additional Domain Controller

An added server used to improve the availability and reliability of network services. If you have an additional domain controller, it helps in fault tolerance and balances the load of existing domain controllers. It also provides additional infrastructure support to the sites.


Active Directory Provisioning Handler.

Responsible for automatically provisioning all the eDirectory objects in a domain with appropriate Active Directory attributes.

Child Domain

Also known as a subdomain. A child domain is a part of a larger domain name in the DNS hierarchy, which has the root-level domain at the top, followed by second-level domains, then followed by subdomains.

Configuration Partition

Stores the entire eDirectory forest configuration information, which consists of the cross-references and other forest-related information. The data stored in this partition is common to all domains in the eDirectory forest. Each type of configuration information is stored in a container in the configuration partition.

Cross-forest Trust

A feature that enables trust to be automatically managed among multiple DSfW forests or between a DSfW forest and an Active Directory forest. It helps to consolidate operations that result from mergers and acquisitions and enables the users in one forest to seamlessly access services in the other forest.

Cross-forest trusts are transitive. For example, every domain in Forest M has an implicit trust relationship with every domain in Forest N. However, transitivity does not mean that if you have a cross-forest trust between Forest M and Forest N, and a second cross-forest trust between Forest N and Forest O, a trust relationship exists between Forest M and Forest O. You are required to create a second cross-forest trust between Forest M and Forest O. Cross-forest trusts can be either one-way or two-way, and you need to establish the trust relationship between the forest root domains in each forest.

Cross-Reference Objects

Objects present in the configuration partition of the forest. Each cross-reference object represents a domain partition. They are used by domain controllers to generate referrals to other eDirectory partitions in the forest and to external directories when the object is not local.

Cross-reference objects are created in two ways:

- Internally by the system to refer to known locations that are within the forest.

- Externally by administrators to refer to locations outside of the forest.


In DSfW, a domain also forms the administrative boundary for a logical group of network resources such as users or computers. Typically, a domain resides in a localized geographic location; however, this might not always be the case. Domains are commonly used to divide global areas of an organization and its functional units.

Domain Controller

In DSfW, an Open Enterprise Server that manages user access to a network, which includes logging in, authentication, and access to the directory and shared resources.

Existing Domain

A domain that is already configured in the DSfW forest.

Existing Tree

An eDirectory tree onto which a DSfW server is being added. A domain is created as part of this process.

External Trust

You can create an external trust to form a one-way or two-way non-transitive trust with domains beyond your forest. External trusts are sometimes necessary when users need access to resources located in a Windows NT 4.0 domain or in a domain located within a separate forest that is not joined by a forest trust.


A set of one or more directory trees that trust each other. All the trees in a forest share a common schema, configuration, and global catalog. When a forest contains multiple trees, the trees do not form a contiguous name space. All the trees in a given forest trust one another through transitive bidirectional trust relationships.

Unlike a tree, a forest does not need a distinct name. A forest exists as a set of cross-referenced objects and trust relationships known to the member trees. Trees in a forest form a hierarchy for the purpose of trust. However, in DSfW, a forest contains a single tree that shares a common schema, configuration, and a global catalog.

Forest Root Domain (FRD)

The domain that provides the base (foundation) directory forest. It is usually the first domain that you create in your directory forest and is known as the default forest root domain.


A set of users, computers, contacts, and other groups. Groups can be used as security or as e-mail distribution collections. Distribution groups are used only for e-mail. Security groups are used both to grant access to resources and as e-mail distribution lists.

Group Policy

An infrastructure that allows you to implement specific configurations for users and computers. Group Policy settings reside in the Group Policy objects (GPOs). GPOs are linked to directory service containers, such as sites, domains, or organizational units (OUs). These settings are then evaluated by the impacted targets, using the hierarchical nature of the directory. A Group Policy allows you to manage user and computer objects.

Mapped Tree/Setup

An eDirectory tree where one or more eDirectory partitions are configured as DSfW domains and are mapped as a partition root object to a domain root. The fully qualified domain name of the DSfW forest root domain might be different from the X500 DN of the root of the DSfW forest.

Microsoft Management Console (MMC)

A component of modern Microsoft Windows operating systems.

It provides system administrators and advanced users with a flexible interface through which they can configure and monitor the system.


Network Basic Input/Output System.

A network operating protocol that the NetBIOS API use to allow applications on different computers to communicate over a local area network. In modern networks, it normally runs over TCP/IP (NBT), giving each computer in the network both a NetBIOS name and an IP address corresponding to a (possibly different) hostname. Older operating systems ran NetBIOS over IPX/SPX or IEEE 802.2 (NBF). NetBIOS provides services related to the session layer of the OSI model.

Non-Mapped Setup

Creates a new eDirectory tree with the DNS naming format instead of the traditional X.500 naming format. The DSfW domain partitions in the tree are created at the time of provisioning.


A single-valued identifier that specifies the security identifier (SID) of the user. The SID is a unique value used to identify the user as a security principal. User objects, group objects and computer objects, among others, are security principals. A SID is a binary value set by the system when the user is created.


1. A logical division of a computer hard disk created in order to have different operating systems on the same hard disk or to create the appearance of having separate hard disks for such activities as file management.

2. A logical group of objects in an eDirectory tree, used to provide better management of the tree.

3. Partition acts as a security boundary of a domain.


Provisioning is the process of configuring the services on a DSfW server. It is made up of a series of logical steps that execute in a predetermined order to complete the DSfW installation.

The provisioning tasks can be executed using the DSfW Provisioning Wizard or the command line scripts.

Relative ID Master (RID Master)

Every domain controller assigns RIDs to the security principals it creates. The RID master FSMO role holder is the single domain controller responsible for processing RID Pool requests from all DCs within a given domain. It is also responsible for removing an object from its domain and putting it in another domain during an object move.


A copy or instance of a user-defined partition that is distributed to another eDirectory server.

Root Partition

A unique partition created when the tree is installed.

Schema Partition

A partition that stores the definitions for the type of data that can be held by the directory store. Directory services rely on schema partitions for maintaining data consistency. In addition, applications can refer to the schema partition to determine the type of data that the directory forest allows. The schema can be extended to allow the directory to hold data that is specific to a particular application.

Shortcut Trust

A manually created trust that shortens the trust path within a forest to increase the speed at which authentications performed across domains in a forest are processed. This can result in faster authentication times and faster access to resources. A trust path is a chain of multiple trusts that enables trust between domains that are not adjacent in the domain namespace. For example, if users in the domain need to gain access to resources in the domain, the domain must be traversed because it is on the trust path. You can create a shortcut trust between and, bypassing in the trust path.

Subsequent Domain

A child domain for a domain that already exists. Organizations split the data into multiple domains to reduce administrative overhead.


The System Volume (Sysvol) is a shared directory that stores the server copy of the domain's public files that must be shared for common access and replication throughout a domain.

The Sysvol corresponds to the /var/opt/novell/xad/sysvol/sysvol directory on the domain controller.


The sysvolsync utility is introduced to provide synchronization of Sysvol and the underlying policies between the domain controllers of a domain. This utility when invoked finds the domain controllers for the domain and initiates the synchronization process with them, contacting one domain controller at a time. During the synchronization only the changes are transferred and not the entire data.

Trust-Posix-Offset Attribute

An offset that the system uses to generate POSIX user and group identifiers that correspond to a given SID. To generate a POSIX identifier, the system adds the RID from the SID to the POSIX offset of the trusted domain identified by the SID.

Trusted Domain Object

A critical object that represents the trust relationship between the two domains. It is found in the partition container under configuration partition. It directly relates to the trust relationships displayed in the Active Directory Domains and Trusts administrative tool. If the Trusted Domain Object is not present in DSfW, cross-domain authentication fails and results in errors. Shortcut trust objects are created when there is more than one domain in the forest.