Active Directory is an LDAP compliant directory service. Network clients use the LDAP protocol to query Active Directory for information.
Every object in Active Directory is identified by one or more names. Active Directory uses a variety of object naming conventions.
- Distinguished Names
- Relative Distinguished Names
- Globally Unique Identifiers
- User Principal Names
Distinguished Name (DN)
Every object in Active Directory has a distinguished name (DN) that uniquely identifies the object. This naming convention contains
enough information for a client to retrieve information about the object. The DN contains the complete path of where the object is located
in the hierarchy. Here is an example of a DN for a user object.
Another example of a computer located in the Computers Container (notice that the Containers use CN, rather than OU).
In this example, you will notice that there are three LDAP abbreviations used to help identify the name and location of this object.
Active Directory does not allow duplicate DNs.
- CN: Common Name
- OU: Organizational Unit
- DC: Domain Component
Relative Distinguished Name (RDN)
The Relative Distinguished Name of an object is the part of the name that is an attribute of the object itself. It is the common name
for the object. In the previous example, the RDN for John Smith is John Smith. The RDN for the Organizational Unit, Users, is Users. Active
Directory does not allow an RDN to be duplicated within the same container.
Globally Unique Identifier (GUID)
A globally unique identifier is a 128 bit hexadecimal number that is guaranteed to be unique within the Forest. GUIDs are assigned to all
objects at the time of object creation. The GUID will never change, even if you rename the object. Nor is it changed when the object is moved
among the various domains within the forest boundary. The GUID object is needed in Active Directory, because unlike Windows NT, Active Directory
requires an object that can be unique in the forest. The SID can no longer provide that requirement since multiple domains can exist within the
User Principal Name (UPN)
The user principal name is also known as the “friendly” name. The UPN consists of the user account name and a domain naming suffix
(generally the domain naming suffix for the domain that the user is a member of). In the previous example, John Smith’s UPN may be
email@example.com. It is possible for a user to have a UPN that includes a domain suffix that does not match the domain name
where the object is located in. This is common for organizations that have an Active Directory infrastructure with an empty root domain along
with many child domains. The UPN for all of the users in the forest would use the root domain suffix.
Recommended Books & Training Resources