Active Directory Naming Standard

Admin Tip #78: Active Directory Naming Standard

Hits: Failed to execute CGI : Win32 Error Code = 3

Active Directory naming standards supported include

NetBIOS names are the account names required for legacy NT environments.
Fully qualified domain name FQDN
the path to a network object : wmaples.dallas.support.mycompay.com is my fqdn.
DN Distinguished names
every object in AD has a DN. DN follows X.500 naming conventions. The DN is made up of the nodes from the root domain down through the container hierarchy to the object. Using my FQDN name and putting it into ND form:
DC=com, DC=mycompany, DC=support, OU=dallas, CN=Users CN=wmaples The distinguished name abbreviations are
- DC domain component
- OU organizational unit
- CN
- common name
The listing order is always DC (however many), OU (however many), CN (however many).
The LDAP interface exposes objects through their distinguished names. Some attributes contain references to other Active Directory objects, such as a user's manager attribute. Internally, the value of these attributes is the GUID of the object they refer to (see below). This ensures that a reference always points to the same object, even if that object is renamed or moved. The LDAP interface automatically converts these references to the distinguished name so that when an LDAP client reads these attributes it gets back a distinguished name, not a GUID.
RDN Relative distinguished names must be unique in an OU but do not have to be unique in a domain. RDN also derives from X.500. The RDN is the portion of the DN that is an object attribute. My RDN is wmaples and is an attribute of my logon account.
UPN User principal names are user friendly names for user accounts. They have to be unique within a domain. They look like email addresses. My upn name is , although UPNs can be mapped to make the user name easier to remember or even to clarify OU membership. My upn could be or or other variations.
GUID Globally unique identifiers is an 128-bit number guaranteed to be unique within a forest. The GUID never changes even though the DN or RDN may. The GUID is W2K's extension of the SID to the AD environment. Every object has a GUID which is assigned at object creation. It would take too long to identify an object within a data table if the system always had to store and compare bulky GUIDs, so every object is also identified by a distinguished name tag (DNT). This 4-byte DWORD value is incremented when a new object is created in the store; thus it represents the object's AD database row number. It is an example of a fixed column. Each object's parent relationship is stored as a parent distinguished name tag (PDNT, also a DWORD). Resolution of parent-child relationships is optimized because the DNT and PDNT are indexed fields in the AD database.

Name Restrictions for hosts and domains

Restriction	Standard DNS	W2K DNS	NetBIOS
Characters	Supports RFC 1123 which permits "A-Z", "a-z", "0-9", and the hyphen "-".	Several different configurations are possible.	Unicode characters, numbers, white space, symbols: ! @ # $ % ^ & ' )( . - _ { }~.
Fully qualified domain name length	63 bytes per label and 255 bytes for an FQDN.	63 bytes per lable and 255 bytes for an FQDN; domain controllers are limited to 155 bytes for an FQDN.	15 bytes.

DNS servers including Windows NT 4 DNS follow RFC 1123 but that presents a problem to Windows 2000 / DNS networks that use NetBIOS names. NetBIOS supports additional characters and it is a real pain to convert NetBIOS names to standard DNS names.

Related Tips:

an excellent text - well written