Active Directory Object Naming

Active Directory is uses the Lightweight Directory Access Protocol (LDAP) as its primary access protocol. LDAP runs over TCP/IP, and defines a way to reference and access objects between an Active Directory client and server. Under LDAP, every object has a distinct Distinguished Name, and this name distinguishes the object from every other object in Active Directory, while also telling us where the object exists. The two main components of a distinguished name are a CN (common name) and a DC (domain component). The common name identifies an object or the container in which it exists, while the domain component references the domains within which the object exists. For example, a distinguished name could be as follows:

CN=Dan DiNicolo, CN=Users, DC = 2000trainers, DC=com

In the above example I have a user called Dan DiNicolo, who exists within a container called Users, in the domain 2000trainers, which is a subdomain of com. The distinguished name of an object must be unique within a given Active Directory forest (more on forests in a bit).

While a distinguished name tells us about the complete context of an object, a relative distinguished name uniquely identifies an object within its parent container. For example, if I were searching within the Users container, the relative distinguished name of the object I identified above would be Dan DiNicolo.

Author: Dan DiNicolo

Dan DiNicolo is a freelance author, consultant, trainer, and the managing editor of 2000Trainers.com. He is the author of the CCNA Study Guide found on this site, as well as many books including the PC Magazine titles Windows XP Security Solutions and Windows Vista Security Solutions. Click here to contact Dan.