Naming Model

The naming model defines how directory objects can be uniquely specified. The OSI directory model uses distinguished names for that purpose.

Distinguished Name (DN)

A distinguished name is unique within a forest or Directory Information Tree (DIT) that it is placed in, and serves as a primary key for a directory object. DN consists of relative distinguished names (RDN), which represent branches in the directory information tree.

Here is an example of an object's distinguished name (CN stands for Common Name, OU means Organizational Unit, and DC means Domain Component):

CN=John Smith,OU=Staff,DC=net,DC=dom

Relative Distinguished Name (RDN)

A relative distinguished name uniquely identifies objects in a container. The RDNs consist of an attribute naming specifier (DC, CN, and OU; other specifiers are not usually used in Active Directory) and a value, for example:

  • CN=Domain Controllers

  • OU=Staff

  • DC=net

Other Name Types Used in Active Directory

  • SAM (Pre-Windows 2000) Account Names. SAM account names are required for compatibility with down-level clients. A SAM name must be unique within a domain.

  • Globally Unique Identifiers – the Globally Unique Identifier (GUID) is a 128-bit number, which uniquely identifies the object when it is created. It never changes and ensures that the object will be addressed — even if it has been renamed or moved.

  • Fully Qualified Domain Name (FQDN) is also known as the full computer name; this is a concatenation of the host name (the NetBIOS name) and the primary DNS suffix, for example: 
  • User Principal Names – the User Principal Name (UPN) consists of the user logon name and a UPN suffix (the current or root DNS domain name, or a specially created shortened name), for example, JohnS@net or John@net.dom. UPN is intended for simplified logon and can be used for logging on to the network on a computer that can belong to any domain within the forest.

  • LDAP Uniform Resource Locator (URL). LDAP URLs are used by LDAP-enabled clients for accessing Active Directory objects. LDAP URLs can also be used as binding strings in scripts and applications, for example (the server name is optional):

     LDAP:// Smith,OU=Staff,DC=net,DC=dom 
  • Active Directory Canonical Name. Canonical names are used in the administrative snap-in's user interface for displaying object names. A canonical name is similar to the distinguished name without the naming attribute specifiers (DC, CN, etc.). For example, the canonical name for the LDAP URL shown above is:

     net.dom/Staff/John Smith 


In a multi-domain forest, complete directory information is not available on a single domain controller (DC). (You can only obtain a subset of attributes of all objects from a Global Catalog server.) You need to have a mechanism that will redirect the query from a DC to the DC that stores the requested object. This mechanism may also be required if the object is located in another naming partition on the same server (for example, if you specify the domain naming context as the search base and want to find objects that can be stored in either Schema or Configuration partitions).

To inform a client that the server does not have a copy of the requested object, the requested server uses an LDAP referral in accordance with RFC 2251. Ideally, the referral indicates the DC that stores the necessary object. The server can generate referrals to other DCs according to the cross-reference objects stored in the directory. Cross-references give every DC the opportunity to be aware of all directory partitions in the forest. The references are stored in the Configuration container, and are therefore replicated to every DC in the forest. Hence, any DC can generate referrals to any other domain in the forest, as well as to the Schema and Configuration partitions. Cross-references can be created either automatically or manually by an administrator.

Windows  .NET Domains & Active Directory
Windows .NET Server 2003 Domains & Active Directory
ISBN: 1931769001
EAN: 2147483647
Year: 2002
Pages: 154 © 2008-2017.
If you may any questions please contact us: