Active Directory  «Prev  Next»
Lesson 4 Active Directory Naming Conventions
Objective Understand the different Naming Conventions and their uses

Active Directory Naming Conventions and Uses

The naming conventions of a directory service are critically important for the usability and maintenance of your network. In fact, the Active Directory is dependent on DNS (domain naming service), and will not install unless the DNS service is installed on the computer. The DNS namespace is an important concept in Active Directory. The namespace encompasses the forests, trees and domains that create the logical structure of the network. Objects within the namespace are identified in several different ways.
Namespace: The namespace encompasses the forests, trees and domains that create the logical structure of the network. Objects within the namespace are identified in several different ways.
Active Directory supports four naming conventions for Active Directory objects:
  1. Distinguished name
  2. Relative distinguished name
  3. User principal name
  4. Global unique identifier
Remember, names should be unique, so that each object within a directory can be found and accessed without much guesswork-not easy given the number of objects that populate Active Directory. As you will see below, Active Directory has built in some safeguards to make this aspect of your job a little simpler.


Distinguished Name and Relative Distinguished Name

Every object in Active Directory has a distinguished name. The distinguished name [1]identifies the domain where the object is located, in addition to the complete path by which the object is reached. The relative distinguished name[2] of an object is the part of the distinguished name that is an attribute of the object. The diagram below shows you these two conventions and how they relate within a piece of code:
Active Directory Distinguished Name
1. This distinguished name identifies the James Smith user object in the contoso.com domain. (In the distinguished name, DC is the abbreviation for domain component, and CN is the abbreviation for common name.)
2. The relative distinguished name of the James Smith user object is James Smith. The relative distinguished name of the parent object is Users.

Active Directory Distinguished Name
With regard to their uniqueness, distinguished names are guaranteed to be unique in the forest. Active Directory does not permit two objects with the same relative distinguished name under the same parent container.

User Principal Name

The user principal name[3] (UPN) of a user object is composed of the user's logon name and the DNS name of the domain where the user object resides.
For example, user James Smith in the contoso.com domain might have a user principal name of [email protected]. The user principal name can be used to log on to the network. An administrator can define additional suffixes for user principal names, if required.
While user principal names are required to be unique, Active Directory does not enforce this requirement. Therefore, it's possible to have duplicate user principal names if you are not extremely careful about naming from the start. This could happen, for instance, if you have a username of James Smith in the Finance OU and another username of James Smith in the Marketing OU. Because the distinguished names will be different, reflecting the different OUs, this is permitted. However, if both OUs are in the contoso.com domain, both will have the same UPN. Active Directory will not allow you to assign the same logon name to these two users.

Globally unique identifier

The globally unique identifier[4] (GUID) is a 128-bit number that is guaranteed to be-and by definition unique. Windows 2000 assigns a GUID to objects when they are created. The GUID never changes, even if you move or rename the object. Applications can store the GUID of an object and be able to retrieve that object even if the distinguished name of the object changes.

The following section discusses naming conventions with their correct definitions.

Active Directory Naming Conventions

  1. user principal name: [email protected]
  2. distinguished name: DC=NET, DC=tacteam, OU=HR, CN=Jonathan Smith
  3. global unique identifier: 921FB974-ED42-11BE-BACD-00AA0057B223
  4. relative distinguished name: Jonathan Smith

Computer Account in Forest

Each client workstation or server in an Active Directory network must have a computer account somewhere in the forest to let users log on via that client. When a machine is added to a domain in a forest, the computer account is created in Active Directory, and a trust relationship is established between the client and the domain so that the client is recognized as a valid member of the domain. Where a client is placed in the forest determines part of the name. Member servers are usually placed in the domain that hosts most of the users that use the server, and DCs are located by their very nature in the individual domains that they host. Clients can be placed anywhere, but they are usually placed in the domain that the primary users of that client will normally log onto.
All hosts are named <computer>.<domain>.
For example, a server called SRV01 in dispersednet.com domain would usually be called
srv01.dispersednet.com; 
a server called SRV02 in the Europe domain would usually be called srv02.europe.dispersednet.com.

What are (OU) Organizational Units ?

When you install an Active Directory domain, a number of default containers and organizational units are created automatically, including the Users and Computers containers and the Domain Controllers OU. If you try to create a new container, you will find that there is no option to do so from within the Active Directory Users and Computers (ADUC) MMC snap-in. This also applies to Organization, Locality, and Country container objects. This is intentional and in almost all cases, you would want to create an organizational unit instead of a container. It is possible to create the other types of containers from within scripts and other LDAP tools, but generally it is not necessary.
So, throughout this course, whenever we advocate creating hierarchies within domains, we always recommend that you use organizational units. After all, an organizational unit is just a superset of a container. There is nothing a container can do that an organizational unit cannot.

You now have one or more forests of domain trees, as well as an OU structure. You can now consider the naming convention for the servers and workstations. For example, a server called SRV01 in the cohovines.com domain would usually be called
srv01.cplusoop.com;

a server called SRV02 in the Europe domain would usually be called srv02.europe.cplusoop.com.
The DNS domain name of the machines in a given domain does not strictly need to match the Active Directory domain name. This is one example of a disjoint namespace, and it is a supported configuration by Microsoft. This type of configuration is sometimes found in larger Enterprise-class organizations that have complex distributed DNS configurations. You may find, for example, a server with the name
srv01.detroit.michigan.us.cohovines.com
, which is a member of the AD domain northamerica.cohovines.com.
In the next lesson, you will learn about the logical structure of Active Directory.

[1]User principal name: The user principal name of a user object is composed of the user's logon name and the DNS name of the domain where the user object resides.
[2]Distinguished name: Every object in Active Directory has a distinguished name. The distinguished name identifies the domain where the object is located, in addition to the complete path by which the object is reached.
[3]Relative distinguished name: The relative distinguished name of an object is the part of the distinguished name that is an attribute of the object.
[4]Globally unique identifier: The globally unique identifier (GUID) is a 128-bit number that is guaranteed to be unique. Windows 2000 assigns a GUID to objects when they are created.

SEMrush Software