Naming schemes to avoid in AD

At some point, you'll find yourself in the situation where you need to decide on a naming scheme for an Active Directory forest and domain. This is a critical point and should not be chosen when you're standing in front of the screen and typing DCPROMO.

Let me elaborate a bit...

Historically, Microsoft has been extremely liberal in what names are allowed within the GUI during DCPromo and user/computer account creation (or setup.exe in NT 4). This is partly because during the NT 4 days it didn't matter much what you called the domain or the computer, it pretty much worked anyway as you only had the NetBIOS version to worry about and no possibility of any component confusing it with a DNS name.

Enter Windows 2000 and suddenly have the DNS version and the NetBIOS version to worry about.

Enter Windows 2003 and Forest now have trusts using DNS names. Additionally, since the name suffix routing engine uses the UPN of accounts as a hint to which forest it should route login requests you need to make sure your UPN is in a proper DNS format if you want to use it outside of the forest.

So, here is a list compiled from existing cases with PSS:

Bad AD domain or forest names:

  • NetBIOS names which contain dots (.)
  • Single-label DNS domain names
  • Numeric-only domain names (DNs or NetBIOS)
  • Domains with numeric-only DNS suffixes

Developers often need to decide whether a domain name being passed to the application is NetBIOS or DNS, with this type of format you most likely get the wrong type returned which results in unexpected errors that can be difficult to troubleshoot.

Bad naming schemes for user or computer accounts (security principals)

  • Numeric-only accounts
  • Numeric-only UPN logon names (won't be routed across forest trusts)
  • Accounts starting with 'S-' (might be considered SIDs)

The worst naming scheme possible is what I refer to as AD 360, this is where the NetBIOS name looks like the DNS name and the DNS name is single label (i.e. SLD).
Example: NetBIOS name: DOMAIN.COM and DNS name: DOMAIN.

Disjointed namespaces are also on the list, but don't warrant a separate entry (they'd need a separate website).

In the next release after Windows 2008, most of these will probably be blocked from being created but you should still be able to manage or upgrade existing domains that use them.

See also:

Naming conventions in Active Directory for computers, domains, sites, and OUs

A user in a trusted Windows Server 2003 forest cannot use a UPN to log on to a trusting Windows Server 2003 forest when UPN suffixes are not DNS-compliant

Information about configuring Windows for domains with single-label DNS names

Error message when you join a Windows Vista-based client computer to a top level domain (TLD) that has a purely numeric suffix: "An Active Directory Domain Controller for the domain <DNS domain name> could not be contacted"

Requirements for Internet Hosts -- Application and Support