Naming conventions in Active Directory for computers, domains, sites, and OUs

This article describes the naming conventions for computer accounts in Microsoft Windows, NetBIOS domain names, DNS domain names, Active Directory sites, and organizational units (OUs) that are defined in the Active Directory directory service. The topics that are discussed include the valid characters for names, the minimum and maximum name lengths, reserved names, names that we do not recommend, and general recommendations that are based on supporting Active Directory in small, medium, and large deployments.

All objects that are named within Active Directory or within AD/AM and LDS are subject to name matching based on the algorithm that is described in the following Microsoft Knowledge Base article: In that article, this naming convention applies to Computer, OU, and site names.

Computer names

NetBIOS computer names

Allowed characters

NetBIOS computer names can contain all alphanumeric characters except for the extended characters that are listed in the "Disallowed characters" section. Names can contain a period, but names cannot start with a period.

Disallowed characters

NetBIOS computer names cannot contain the following characters:

• backslash (\)
• slash mark (/)
• colon (:)
• asterisk (*)
• question mark (?)
• quotation mark (")
• less than sign (<)
• greater than sign (>)
• vertical bar (|)

Names can contain a period (.). However, the name cannot start with a period. The use of non-DNS names with periods is allowed in Microsoft Windows NT. However, periods should not be used in Microsoft Windows 2000 or in later versions of Windows. If you are upgrading a computer whose NetBIOS name contains a period, change the machine name. For more information, see the "Special characters" section.

In Windows 2000 and in later versions of Windows, computers that are members of an Active Directory domain cannot have names that are composed completely of numbers. This restriction is because of DNS restrictions. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

Minimum name length

1 character.

Maximum name length

15 characters.

Note The 16th character is reserved to identify the functionality that is installed on the registered network device.

Reserved names

See "Table of reserved words."

Special characters

Period (.).

A period character separates the name into a NetBIOS scope identifier and the computer name. The NetBIOS scope identifier is an optional string of characters that identify logical NetBIOS networks that run on the same physical TCP/IP network. For NetBIOS to work between computers, the computers must have the same NetBIOS scope identifier and unique computer names.

Warning The use of NetBIOS scopes in names is a legacy configuration and should not be used with Active Directory forests. For more information about NetBIOS scopes, visit the following non-Microsoft Web sites:

DNS computer names

Allowed characters

DNS computer names can contain only alphabetical characters (A-Z), numeric characters (0-9), the minus sign (-), and the period (.). Period characters are allowed only when they are used to delimit the components of domain style names.

In the Windows 2000 domain name system (DNS) and in the Microsoft Windows Server 2003 DNS, the use of Unicode characters is supported. Other implementations of DNS do not support Unicode characters. Avoid Unicode characters if queries will be passed to the servers that use non-Microsoft implementations of DNS.

For more information, visit the following non-Microsoft Web sites:

Disallowed characters

DNS host names cannot contain the following characters:

• comma (,)
• tilde (~)
• colon (:)
• exclamation point (!)
• at sign (@)
• number sign (#)
• dollar sign ($)
• percent (%)
• caret (^)
• ampersand (&)
• apostrophe (')
• period (.)
• parentheses (())
• braces ({})
• underscore (_)

In DNS, a period breaks the name into a different namespace. In this scenario, such use is not valid.

The DNS host name cannot contain blank or space characters.

No distinction is made between upper and lowercase.

The first character must be alphabetical or numeric.

The last character must not be a minus sign or a period.

In Windows 2000 and in later versions of Windows, computers that are members of an Active Directory domain cannot have names that are composed completely of numbers. This restriction is because of DNS restrictions. For more information, click the following article number to view the article in the Microsoft Knowledge Base: Note DNS Host Name Registration substitutes a hyphen (-) character for invalid characters. For more information, click the following article number to view the article in the Microsoft Knowledge Base: 

Minimum name length

2 characters.

Maximum name length

24 characters.

The maximum length of the host name and of the fully qualified domain name (FQDN) is 63 octets per label and 255 bytes per FQDN. This maximum includes 254 bytes for the FQDN and one byte for the ending dot.

In Windows 2000 and in Windows Server 2003, the maximum host name and the FQDN use the standard length limitations that are mentioned earlier, with the addition of UTF-8 (Unicode) support. Because some UTF-8 characters exceed one octet in length, you cannot determine the size by counting the characters.

Domain controllers must have an FQDN of less than 155 bytes.

Reserved names per RFC

• -GATEWAY
• -GW
• -TAC

Top-level Internet domain names are also reserved. These top-level domain names include .com, .net, .org, .us, .fr, and .gr.

Reserved names in Windows

See "Table of reserved words."

Best practices

When you create names for the DNS computers in a new Windows Server 2003 DNS infrastructure, use the following guidelines:

• Choose computer names that are easy for users to remember.
• Identify the owner of the computer in the computer name.
• Choose a name that describes the purpose of the computer.
• Do not use character case to indicate the owner or the purpose of a computer. DNS is not case-sensitive.
• Match the Active Directory domain name to the primary DNS suffix of the computer name.
• Use a unique name for every computer in your organization. Do not assign the same computer name to computers in different DNS domains.
• Use ASCII characters. This guarantees interoperability with computers that are running versions of Windows that are earlier than Windows 2000.
• In DNS computer names, use only the characters that are listed in RFC 1123. These characters include A–Z, a–z, 0–9, and the hyphen (-). In Windows Server 2003, DNS allows most UTF-8 characters in names. However, do not use extended ASCII or UTF-8 characters unless all the DNS servers in your environment support them.

Domain names

NetBIOS domain names

Allowed characters

NetBIOS domain names can contain all alphanumeric characters except for the extended characters that are listed in the "Disallowed characters" section. Names can contain a period, but names cannot start with a period.

Disallowed characters

NetBIOS computer names cannot contain the following characters:

• backslash (\)
• slash mark (/)
• colon (:)
• asterisk (*)
• question mark (?)
• quotation mark (")
• less than sign (<)
• greater than sign (>)
• vertical bar (|)

Names can contain a period (.). However, the name cannot start with a period. The use of non-DNS names with periods is allowed in Microsoft Windows NT. However, periods should not be used in Active Directory domains. If you are upgrading a domain whose NetBIOS name contains a period, change the name by migrating the domain to a new domain structure. Do not use periods in new NetBIOS domain names.

In Windows 2000 and in later versions of Windows, computers that are members of an Active Directory domain cannot have names that are composed completely of numbers. This restriction is because of DNS restrictions.

Minimum name length

1 character.

Maximum name length

15 characters.

Note The 16th character is reserved to identify the functionality that is installed on the registered network device.

Reserved names in Windows

See "Table of reserved words."

The names of an upgraded domain can include a reserved word. However, trust relationships with other domains fail when this is true. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

Special characters

Period (.).

A period character separates the name into a NetBIOS scope identifier and the computer name. The NetBIOS scope identifier is an optional string of characters that identify logical NetBIOS networks that run on the same physical TCP/IP network. For NetBIOS to work between computers, the computers must have the same NetBIOS scope identifier and unique computer names.

Warning The use of NetBIOS scopes in names is a legacy configuration and should not be used with Active Directory forests.

DNS domain names

Allowed characters

DNS host names can contain only alphabetical characters (A-Z), numeric characters (0-9), the minus sign (-), and the period (.). Period characters are allowed only when they are used to delimit the components of domain style names.

In the Windows 2000 domain name system (DNS) and in the Microsoft Windows Server 2003 DNS, the use of Unicode characters is supported. Other implementations of DNS do not support Unicode characters. Avoid Unicode characters if queries will be passed to the servers that use non-Microsoft implementations of DNS.

For more information, visit the following non-Microsoft Web sites:

Disallowed characters

DNS host names cannot contain the following characters:

• comma (,)
• tilde (~)
• colon (:)
• exclamation point (!)
• at sign (@)
• number sign (#)
• dollar sign ($)
• percent (%)
• caret (^)
• ampersand (&)
• apostrophe (')
• period (.)
• parentheses (())
• braces ({})
• underscore (_)

In DNS, a period breaks the name into a different namespace. In this scenario, such use is not valid.

The DNS host name cannot contain blank or space characters.

No distinction is made between upper and lowercase.

The first character must be alphabetical or numeric.

The last character must not be a minus sign or a period.

Minimum name length

2 characters.

Maximum name length

24 characters.

The maximum length of the host name and of the fully qualified domain name (FQDN) is 63 octets per label and 255 bytes per FQDN. This maximum includes 254 bytes for the FQDN and one byte for the ending dot.

In Windows 2000 and in Windows Server 2003, the maximum host name and the FQDN use the standard length limitations that are mentioned earlier, with the addition of UTF-8 (Unicode) support. Because some UTF-8 characters exceed one octet in length, you cannot determine the size by counting the characters. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

Single-label domain namespaces

Single-label DNS names are names that do not contain a suffix such as .com, .corp, .net, .org or companyname. For example, "host" is a single-label DNS name. Most Internet registrars do not allow the registration of single-label DNS names.

Generally, we recommend that you register DNS names for internal and external namespaces with an Internet registrar. This includes the DNS names of Active Directory domains, unless such names are subdomains of DNS names that are registered by your organization name. For example, "corp.example.com" is a subdomain of "example.com." Registering your DNS name with an Internet registrar may help prevent a name collision. A name collision may occur if another organization tries to register the same DNS name or if your organization merges with another organization that uses the same DNS name.

Problems that are associated with single-label namespaces include the following:

• Single-label DNS names cannot be registered by using an Internet registrar.
• Domains that have single-label DNS names require additional configuration.
• The DNS Server service may not be used to locate domain controllers in domains that have single-label DNS names.
• By default, Windows Server 2003-based domain members, Windows XP-based domain members, and Windows 2000-based domain members do not perform dynamic updates to single-label DNS zones.

For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base: For more information regarding single label domains, visit the following Microsoft web site: Microsoft DNS Namespace Planning Solution Center (http://support.microsoft.com/gp/gp_namespace_master#tab4)

Disjointed namespaces

Definition of a disjointed namespace
A disjointed namespace occurs when a computer's primary DNS suffix does not match the DNS domain of which it is a member. For example, a disjointed namespace occurs when a machine that has the DNS name of dc1.contosocorp.com is in a domain that has the DNS name of contoso.com.

How disjointed namespaces occur

1. A Windows NT 4.0 primary domain controller is upgraded to a Windows 2000 domain controller by using the original release version of Windows 2000. In the Networking item in Control Panel, multiple DNS suffixes are defined.
2. The domain is renamed when the forest is at the Windows Server 2003 forest functional level, and the primary DNS suffix is not changed to reflect the new DNS domain name.

Effects of a disjointed namespace
Suppose a domain controller named DC1 resides in a Windows NT 4.0 domain whose NetBIOS domain name is contoso. This domain controller is upgraded to Windows 2000. When this upgrade occurs, the DNS domain is renamed contoso.com. In the original release version of Windows 2000, the upgrade routine clears the check box that links the primary DNS suffix of the domain controller to its DNS domain name. Therefore, the primary DNS suffix of the domain controller is the DNS suffix that was defined in the Windows NT 4.0 suffix search list. In this example, the DNS name is DC1.northamerica.contoso.com.

The domain controller dynamically registers its service location (SRV) records in the DNS zone that corresponds to its DNS domain name. However, the domain controller registers its host records in the DNS zone that corresponds to its primary DNS suffix.

Note Host records are also known as "A records" or "glue records."

When you intentionally create a disjointed namespace, configure forwarders or delegations in the DNS zones. Configure these forwarders or delegations between both forward lookup zones so that the host records can be located. For example, configure forwarders between the contoso.com and northamerica.contoso.com. If a disjointed namespace is created unintentionally, if no forwarders are configured, and if the DNS zones are created by the Active Directory Installation Wizard, no zone is created for the primary DNS suffix zone. When this configuration requirement is not satisfied, clients cannot resolve DNS requests for services to the IP addresses of the domain controllers that provide these services. In this scenario, AD replication and other operations experience a DNS lookup error. These operations fail because the SRV record request points to a host record that does not exist in the zone. Or, these operations fail because the host record is in a zone that cannot be reached through a forwarder.

Preventing disjointed namespace problems
When a Windows NT 4.0 primary domain controller is upgraded to the original release version of Windows 2000, the Change primary DNS suffix when domain membership changes check box is unchecked. This problem was corrected in Windows 2000 Service Pack 1. To work around this problem, use one of the following methods:

• Select the Change primary DNS suffix when domain membership changes check box.
• Perform a slipstream of the service pack with the installation media so that the upgrade automatically upgrades the domain controller to the current service pack.

After you perform a domain rename, make sure that you modify the DNS suffix of the domain controllers so that it matches the new domain namespace.

Best practices

• Before you upgrade a Windows NT 4.0 domain controller, modify the DNS suffix of the computer in the TCP/IP Properties dialog box to match the DNS suffix of the Windows 2000 domain of which it will be a member.
• Before you run the Active Directory Installation Wizard on a Windows 2000 member server, make sure that the Change primary DNS suffix when domain membership changes check box is selected. To locate this check box, follow these steps:
  1. Right-click My Computer, and then click Properties.
  2. In the System Properties dialog box, click the Network Identification tab, and then click Properties.
  3. In the Identification Changes dialog box, click More.
  By default, the Change primary DNS suffix when domain membership changes check box is selected on a Windows 2000-based computer, unless it has been upgraded from Windows NT 4.0.
• Before you upgrade the first domain controller, plan the DNS namespace. Otherwise, you may incorrectly answer namespace questions in the Active Directory Installation Wizard.

For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

Reserved names

See "Table of reserved words."

Do not use top-level Internet domain names on the intranet. Top-level Internet domain names include .com, .net, .org, .us, .fr, and .gr. If you use top-level Internet domain names on the intranet, computers on the intranet that are also connected to the Internet may experience resolution errors.

Other factors

Forests that are connected to the Internet

A DNS namespace that is connected to the Internet must be a subdomain of a top-level or second-level domain of the Internet DNS namespace.

Maximum number of domains in a forest

In Windows 2000, the maximum number of domains in a forest is 800. In Windows Server 2003, the maximum number of domains at Forest Functional Level 2 is 1200. This restriction is a limitation of multivalued non-linked attributes in Windows Server 2003.

Best practices

• Because the DNS names of all the nodes that require name resolution include the Internet DNS domain name for the organization, choose an Internet DNS domain name that is short and easy to remember. Because DNS is hierarchical, DNS domain names grow when you add subdomains to your organization. Short domain names make the computer names easy to remember.
• If the organization has an Internet presence, use names that are relative to the registered Internet DNS domain name. For example, if you have registered the Internet DNS domain name contoso.com, use a DNS domain name such as corp.contoso.com for the intranet domain name.
• Do not use the name of an existing corporation or product as your domain name.
• Do not use an acronym or an abbreviation as a domain name. Users may have difficulty recognizing the business unit that an acronym represents.
• Do not use the name of a business unit or of a division as a domain name. Business units and other divisions change periodically, and these domain names can be misleading or become obsolete.
• Do not use geographic names that are difficult to spell and remember.
• Avoid extending the DNS domain name hierarchy more than five levels from the root domain. You can reduce administrative costs by limiting the extent of the domain name hierarchy.
• If you are deploying DNS in a private network, and you do not plan to create an external namespace, register the DNS domain name that you create for the internal domain. Otherwise, you may find that the name is unavailable if you try to use it on the Internet, or if you connect to a network that is connected to the Internet.

Site names

We recommend that you use a valid DNS name when you create a new site name. Otherwise, your site will be available only where a Microsoft DNS server is used. For more information about valid DNS names, see the "DNS computer names" section.

Allowed characters

DNS host names can contain only alphabetical characters (A-Z), numeric characters (0-9), the minus sign (-), and the period (.). Period characters are allowed only when they are used to delimit the components of domain style names.

In the Windows 2000 domain name system (DNS) and in the Microsoft Windows Server 2003 DNS, the use of Unicode characters is supported. Other implementations of DNS do not support Unicode characters. Avoid Unicode characters if queries will be passed to the servers that use non-Microsoft implementations of DNS.

For more information, visit the following non-Microsoft Web sites:

Disallowed characters

DNS host names cannot contain the following characters:

• comma (,)
• tilde (~)
• colon (:)
• exclamation point (!)
• at sign (@)
• number sign (#)
• dollar sign ($)
• percent (%)
• caret (^)
• ampersand (&)
• apostrophe (')
• period (.)
• parentheses (())
• braces ({})
• underscore (_)

In DNS, a period breaks the name into a different namespace. In this scenario, such use is not valid.

The DNS host name cannot contain blank or space characters.

No distinction is made between upper and lowercase.

The first character must be alphabetical or numeric.

The last character must not be a minus sign or a period.

Minimum name length

1 character.

Maximum name length

24 characters.

The maximum length of the host name and of the fully qualified domain name (FQDN) is 63 octets per label and 255 bytes per FQDN. This maximum includes 254 bytes for the FQDN and one byte for the ending dot.

In Windows 2000 and in Windows Server 2003, the maximum host name and the FQDN use the standard length limitations that are mentioned earlier, with the addition of UTF-8 (Unicode) support. Because some UTF-8 characters exceed one octet in length, you cannot determine the size by counting the characters.

For more information on fully qualified domain name character limits, see MSKB article 245809 (245809 Windows 2000 Supports Fully Qualified Domain Names up to 64 UTF-8 Bytes Long)

OU names

Allowed characters

All characters are allowed, even extended characters. However, although Active Directory Users and Computers lets you name an OU with extended characters, we recommend that you use names that describe the purpose of the OU and that are short enough to easily manage. Lightweight Directory Access Protocol (LDAP) does not have any restrictions, because the CN of the object is put in quotation marks.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

Disallowed characters

No characters are not allowed.

Minimum name length

1 character.

Maximum name length

64 characters.

Special issues

When the OU has the same name as another object in the forest, a name collision may sometimes occur. We recommend that you do not give an OU the same name as another object in the forest.

For example, consider a scenario where the OU has the same name as other objects in the forest. An OU in the parent domain has the same name as the NetBIOS name of a child domain. The OU is deleted during the tombstone lifetime of the OU. Then, a child domain that has the same name is created, deleted, and created again. In this scenario, a duplicate object in the Jet database causes a phantom-phantom name collision when the child domain is re-created. This problem prevents the configuration container from replicating.

Table of reserved words