Active Directory Naming Conventions and Uses

The naming conventions of a directory service are critically important for the usability and maintenance of your network. In fact, the Active Directory is dependent on DNS (domain naming service), and will not install unless the DNS service is installed on the computer. The DNS namespace is an important concept in Active Directory. The namespace encompasses the forests, trees and domains that create the logical structure of the network. Objects within the namespace are identified in several different ways.
Namespace: The namespace encompasses the forests, trees and domains that create the logical structure of the network. Objects within the namespace are identified in several different ways. Active Directory supports four naming conventions for Active Directory objects:

1. Distinguished name
2. Relative distinguished name
3. User principal name
4. Global unique identifier

Remember, names should be unique, so that each object within a directory can be found and accessed without much guesswork-not easy given the number of objects that populate Active Directory. As you will see below, Active Directory has built in some safeguards to make this aspect of your job a little simpler.

Active Directory uses DNS for three primary functions:

1. Name resolution. DNS provides name resolution by translating host names into IP addresses.
2. Namespace definition. Active Directory uses DNS naming conventions to name domains. Windows 2000 domain names are DNS domain names. For example, contoso.com is a valid DNS domain name and could also be the name of a Windows 2000 domain.
3. Locating the physical components of Active Directory. To log on to the network and perform queries in Active Directory, a computer running Windows 2000 first must locate a domain controller or global catalog server to process the logon authentication or the query. The DNS database stores the information about which computers perform these roles and provides that information so that the request can be directed appropriately.

• DNS's role in Windows
  Question: How did DNS function in Windows NT?
  DNS played a secondary role in Windows NT. Windows NT relied on NetBIOS name resolution, and the Windows Internet Name Services (WINS) as its primary means of identifying computers on the network. DNS was used primarily by web browsers for translating web URLs to IP addresses. In Windows 2000, DNS takes over as the leading name resolution method.

One of the big advantages of Active Directory over its predecessor, Windows NT, is its reliance on the Domain Name System (DNS) as opposed to the Windows Internet Naming Service (WINS) for name resolution. DNS is the ubiquitous, standards-based naming service used on the Internet. WINS, on the other hand, never garnered industry support and has become a candidate for elimination on many enterprise networks. The good news is that with Active Directory, the dependencies on WINS have been eliminated, but the potentially bad news is that Active Directory has many dependencies on the DNS infrastructure. This is only potentially because it depends on the flexibility of your DNS environment. Often, the groups that manage DNS and Active Directory within an organization are different, and getting the two teams to agree on implementation can be difficult due to political turf battles or technology clashes.
Although Active Directory does not need WINS, or more accurately NetBIOS name resolution, other systems and technologies may require it. Many administrators are quick to try to remove WINS from their environment, but generally speaking, the administrative cost of maintaining a WINS infrastructure is substantially smaller than the cost involved in executing a project to remove WINS.
The intent of this module is to provide you with a good understanding of how Active Directory uses DNS and to review some of the options for setting it up within your organization. We will briefly touch on some DNS basics, but we will not go into much depth on how to configure and administer the Windows DNS server.

This is network-based name resolution in which computer identifiers (typically hardware or IP addresses) are resolved to some form of name that is meaningful (computer name). Names on a computer network are really the following:

1. NetBIOS Name (for instance, TCI1)
2. TCP/IP Address (121.133.2.44)
3. Host Name (Abbey)
4. Media Access Control (MAC): this is the network adapter hardware address

Note that these are four generally accepted naming conventions used on a Windows 2000 Server network, the NetBIOS and Host name resolution process.

Every object in Active Directory has a distinguished name. The distinguished name ^[1]identifies the domain where the object is located, in addition to the complete path by which the object is reached. The relative distinguished name^[2] of an object is the part of the distinguished name that is an attribute of the object. The diagram below shows you these two conventions and how they relate within a piece of code:

With regard to their uniqueness, distinguished names are guaranteed to be unique in the forest. Active Directory does not permit two objects with the same relative distinguished name under the same parent container.

• User Principal Name: The user principal name^[3] (UPN) of a user object is composed of the user's logon name and the DNS name of the domain where the user object resides.
  For example, user James Smith in the contoso.com domain might have a user principal name of [email protected]. The user principal name can be used to log on to the network. An administrator can define additional suffixes for user principal names, if required.
  While user principal names are required to be unique, Active Directory does not enforce this requirement. Therefore, it's possible to have duplicate user principal names if you are not extremely careful about naming from the start. This could happen, for instance, if you have a username of James Smith in the Finance OU and another username of James Smith in the Marketing OU. Because the distinguished names will be different, reflecting the different OUs, this is permitted. However, if both OUs are in the contoso.com domain, both will have the same UPN. Active Directory will not allow you to assign the same logon name to these two users.

The globally unique identifier^[4] (GUID) is a 128-bit number that is guaranteed to be-and by definition unique. Windows 2000 assigns a GUID to objects when they are created. The GUID never changes, even if you move or rename the object. Applications can store the GUID of an object and be able to retrieve that object even if the distinguished name of the object changes. The following section discusses naming conventions with their correct definitions.

• Active Directory Naming Conventions
  1. user principal name: [email protected]
  2. distinguished name: DC=NET, DC=tacteam, OU=HR, CN=Jonathan Smith
  3. global unique identifier: 921FB974-ED42-11BE-BACD-00AA0057B223
  4. relative distinguished name: Jonathan Smith

Each client workstation or server in an Active Directory network must have a computer account somewhere in the forest to let users log on via that client. When a machine is added to a domain in a forest, the computer account is created in Active Directory, and a trust relationship is established between the client and the domain so that the client is recognized as a valid member of the domain. Where a client is placed in the forest determines part of the name. Member servers are usually placed in the domain that hosts most of the users that use the server, and DCs are located by their very nature in the individual domains that they host. Clients can be placed anywhere, but they are usually placed in the domain that the primary users of that client will normally log onto.
All hosts are named <computer>.<domain>.
For example, a server called SRV01 in dispersednet.com domain would usually be called

srv01.dispersednet.com; 

a server called SRV02 in the Europe domain would usually be called srv02.europe.dispersednet.com.

When you install an Active Directory domain, a number of default containers and organizational units are created automatically, including the Users and Computers containers and the Domain Controllers OU. If you try to create a new container, you will find that there is no option to do so from within the Active Directory Users and Computers (ADUC) MMC snap-in. This also applies to Organization, Locality, and Country container objects. This is intentional and in almost all cases, you would want to create an organizational unit instead of a container. It is possible to create the other types of containers from within scripts and other LDAP tools, but generally it is not necessary.
So, throughout this course, whenever we advocate creating hierarchies within domains, we always recommend that you use organizational units. After all, an organizational unit is just a superset of a container. There is nothing a container can do that an organizational unit cannot.
You now have one or more forests of domain trees, as well as an OU structure. You can now consider the naming convention for the servers and workstations. For example, a server called SRV01 in the cohovines.com domain would usually be called

srv01.cplusoop.com;

a server called SRV02 in the Europe domain would usually be called srv02.europe.cplusoop.com.
The DNS domain name of the machines in a given domain does not strictly need to match the Active Directory domain name. This is one example of a disjoint namespace, and it is a supported configuration by Microsoft. This type of configuration is sometimes found in larger Enterprise-class organizations that have complex distributed DNS configurations. You may find, for example, a server with the name

srv01.detroit.michigan.us.cohovines.com

, which is a member of the AD domain northamerica.cohovines.com.
In the next lesson, you will learn about the logical structure of Active Directory.

[1]User principal name: The user principal name of a user object is composed of the user's logon name and the DNS name of the domain where the user object resides.

[2]Distinguished name: Every object in Active Directory has a distinguished name. The distinguished name identifies the domain where the object is located, in addition to the complete path by which the object is reached.

[3]Relative distinguished name: The relative distinguished name of an object is the part of the distinguished name that is an attribute of the object.

[4]Globally unique identifier: The globally unique identifier (GUID) is a 128-bit number that is guaranteed to be unique. Windows 2000 assigns a GUID to objects when they are created.