Article ID: 909264
 
Expand all | Collapse all

On This Page

INTRODUCTION

This article describes the naming conventions for computer accounts in Microsoft Windows, NetBIOS domain names, DNS domain names, Active Directory sites, and organizational units (OUs) that are defined in the Active Directory directory service. The topics that are discussed include the valid characters for names, the minimum and maximum name lengths, reserved names, names that we do not recommend, and general recommendations that are based on supporting Active Directory in small, medium, and large deployments.

All objects that are named within Active Directory or within AD/AM and LDS are subject to name matching based on the algorithm that is described in the following Microsoft Knowledge Base article:
938447 You cannot add a user name or an object name that only differs by a character with a diacritic mark
In that article, this naming convention applies to Computer, OU, and site names.

Computer names

NetBIOS computer names

Allowed characters
NetBIOS computer names can contain all alphanumeric characters except for the extended characters that are listed in the "Disallowed characters" section. Names can contain a period, but names cannot start with a period.
Disallowed characters
NetBIOS computer names cannot contain the following characters:
  • backslash (\)
  • slash mark (/)
  • colon (:)
  • asterisk (*)
  • question mark (?)
  • quotation mark (")
  • less than sign (<)
  • greater than sign (>)
  • vertical bar (|)
Names can contain a period (.). However, the name cannot start with a period. The use of non-DNS names with periods is allowed in Microsoft Windows NT. However, periods should not be used in Microsoft Windows 2000 or in later versions of Windows. If you are upgrading a computer whose NetBIOS name contains a period, change the machine name. For more information, see the "Special characters" section.

In Windows 2000 and in later versions of Windows, computers that are members of an Active Directory domain cannot have names that are composed completely of numbers. This restriction is because of DNS restrictions.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
244412 Windows 2000 does not permit all-numeric computer names
For more information about the NetBIOS name syntax, go to the following Microsoft website:
General information about the NetBIOS name syntax

Minimum name length
1 character.
Maximum name length
15 characters.

Note The 16th character is reserved to identify the functionality that is installed on the registered network device.
Reserved names
See "Table of reserved words."
Special characters
Period (.).

A period character separates the name into a NetBIOS scope identifier and the computer name. The NetBIOS scope identifier is an optional string of characters that identify logical NetBIOS networks that run on the same physical TCP/IP network. For NetBIOS to work between computers, the computers must have the same NetBIOS scope identifier and unique computer names.

Warning The use of NetBIOS scopes in names is a legacy configuration and should not be used with Active Directory forests. For more information about NetBIOS scopes, visit the following non-Microsoft Web sites:
http://www.ietf.org/rfc/rfc1001.txt
http://www.ietf.org/rfc/rfc1002.txt

DNS host names

Allowed characters
DNS names can contain only alphabetical characters (A-Z), numeric characters (0-9), the minus sign (-), and the period (.). Period characters are allowed only when they are used to delimit the components of domain style names.

In the Windows 2000 domain name system (DNS) and in the Microsoft Windows Server 2003 DNS, the use of Unicode characters is supported. Other implementations of DNS do not support Unicode characters. Avoid Unicode characters if queries will be passed to the servers that use non-Microsoft implementations of DNS.

For more information, visit the following non-Microsoft Web sites:
http://www.ietf.org/rfc/rfc952.txt
http://www.ietf.org/rfc/rfc1123.txt
Disallowed characters
DNS host names cannot contain the following characters:
  • comma (,)
  • tilde (~)
  • colon (:)
  • exclamation point (!)
  • at sign (@)
  • number sign (#)
  • dollar sign ($)
  • percent (%)
  • caret (^)
  • ampersand (&)
  • apostrophe (')
  • period (.)
  • parentheses (())
  • braces ({})
  • underscore (_)
  • white space (blank)
The underscore has a special role, as it is permitted for the first character in SRV records by RFC definition, but newer DNS servers may also allow it anywhere in a name. For more details, see: http://technet.microsoft.com/en-us/library/cc959336.aspx.

More rules are:
  • All characters preserve their case formatting except for American Standard Code for Information Interchange (ASCII) characters.
  • The first character must be alphabetical or numeric.
  • The last character must not be a minus sign or a period.

In Windows 2000 and in later versions of Windows, computers that are members of an Active Directory domain cannot have names that are composed completely of numbers. This restriction is because of DNS restrictions.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
244412 Windows 2000 does not permit all-numeric computer names
Note DNS Host Name Registration substitutes a hyphen (-) character for invalid characters. For more information, click the following article number to view the article in the Microsoft Knowledge Base: 
149044 DNS Host Name substitutes "-" for invalid characters
Minimum name length
2 characters.
Maximum name length
63 characters.

The maximum length of the host name and of the fully qualified domain name (FQDN) is 63 bytes per label and 255 bytes per FQDN.

Note Windows does not permit computer names that exceed 15 characters, and you cannot specify a DNS host name that differs from the NETBIOS host name. You might however create host headers for a web site hosted on a computer and that is then subject to this recommendation.

In Windows 2000 and in Windows Server 2003, the maximum host name and the FQDN use the standard length limitations that are mentioned earlier, with the addition of UTF-8 (Unicode) support. Because some UTF-8 characters exceed one octet in length, you cannot determine the size by counting the characters.

Domain controllers must have an FQDN of less than 155 bytes.
Reserved names per RFC 952
  • -GATEWAY
  • -GW
  • -TAC
For more information, visit the following non-Microsoft Web sites: 
http://tools.ietf.org/html/rfc952
Reserved names in Windows
See "Table of reserved words."
Best practices
When you create names for the DNS computers in a new Windows Server 2003 DNS infrastructure, use the following guidelines:
  • Choose computer names that are easy for users to remember.
  • Identify the owner of the computer in the computer name.
  • Choose a name that describes the purpose of the computer.
  • For ASCII characters, do not use character case to indicate the owner or the purpose of a computer. For ASCII characters, DNS is not case-sensitive, and Windows and windows applications are not case-preserving in all places.
  • Match the Active Directory domain name to the primary DNS suffix of the computer name. For more details, see the the "disjoint domain names" section below.
  • Use a unique name for every computer in your organization. Avoid the same computer name for computers in different DNS domains.
  • Use ASCII characters. This guarantees interoperability with computers that are running versions of Windows that are earlier than Windows 2000.
  • In DNS computer names, use only the characters that are listed in RFC 1123. These characters include A–Z, a–z, 0–9, and the hyphen (-). In Windows Server 2003, DNS allows most UTF-8 characters in names. However, do not use extended ASCII or UTF-8 characters unless all the DNS servers in your environment support them.

Domain names

NetBIOS domain names

Allowed characters
NetBIOS domain names can contain all alphanumeric characters except for the extended characters that are listed in the "Disallowed characters" section. Names can contain a period, but names cannot start with a period.
Disallowed characters
NetBIOS computer names cannot contain the following characters:
  • backslash (\)
  • slash mark (/)
  • colon (:)
  • asterisk (*)
  • question mark (?)
  • quotation mark (")
  • less than sign (<)
  • greater than sign (>)
  • vertical bar (|)
Names can contain a period (.). However, the name cannot start with a period. The use of non-DNS names with periods is allowed in Microsoft Windows NT. However, periods should not be used in Active Directory domains. If you are upgrading a domain whose NetBIOS name contains a period, change the name by migrating the domain to a new domain structure. Do not use periods in new NetBIOS domain names.

In Windows 2000 and in later versions of Windows, computers that are members of an Active Directory domain cannot have names that are composed completely of numbers. This restriction is because of DNS restrictions.
Minimum name length
1 character.
Maximum name length
15 characters.

Note The 16th character is reserved to identify the functionality that is installed on the registered network device.
Reserved names in Windows
See "Table of reserved words."

The names of an upgraded domain can include a reserved word. However, trust relationships with other domains fail when this is true. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
836182 You cannot establish a trust relationship to another Windows 2000 domain in Windows 2000 Server if the domain is named "Internet"
Special characters
Period (.).

A period character separates the name into a NetBIOS scope identifier and the computer name. The NetBIOS scope identifier is an optional string of characters that identify logical NetBIOS networks that run on the same physical TCP/IP network. For NetBIOS to work between computers, the computers must have the same NetBIOS scope identifier and unique computer names.

Warning The use of NetBIOS scopes in names is a legacy configuration and should not be used with Active Directory forests. There is no inherent problem with this, but there may be applications that filter the name and assume a DNS name when a "." is found.

DNS domain names

Allowed characters
DNS names can contain only alphabetical characters (A-Z), numeric characters (0-9), the minus sign (-), and the period (.). Period characters are allowed only when they are used to delimit the components of domain style names.

In the Windows 2000 domain name system (DNS) and in the Microsoft Windows Server 2003 DNS, the use of Unicode characters is supported. Other implementations of DNS do not support Unicode characters. Avoid Unicode characters if queries will be passed to the servers that use non-Microsoft implementations of DNS.

For more information, visit the following non-Microsoft Web sites:
http://www.ietf.org/rfc/rfc952.txt
http://www.ietf.org/rfc/rfc1123.txt
Disallowed characters
DNS domain names cannot contain the following characters:
  • comma (,)
  • tilde (~)
  • colon (:)
  • exclamation point (!)
  • at sign (@)
  • number sign (#)
  • dollar sign ($)
  • percent (%)
  • caret (^)
  • ampersand (&)
  • apostrophe (')
  • period (.)
  • parentheses (())
  • braces ({})
  • underscore (_)
  • white space (blank)
The underscore has a special role, as it is permitted for the first character in SRV records by RFC definition, but newer DNS servers may also allow it anywhere in a name. For more details, see: http://technet.microsoft.com/en-us/library/cc959336.aspx.

When promoting a new domain, you get a warning that a underscore character might cause problems with some DNS servers, but it lets you create the domain.

More rules are:
  • All characters preserve their case formatting except for ASCII characters.
  • The first character must be alphabetical or numeric.
  • The last character must not be a minus sign or a period.

Minimum name length
2 characters.
Maximum name length
255 characters.

The maximum length of the host name and of the fully qualified domain name (FQDN) is 63 bytes per label and 255 characters per FQDN. The latter is based on the maximum path length possible with an Active Directory Domain name with the paths needed in SYSVOL, and this needs to obey to the 260 character MAX_PATH limitation.

An example path in SYSVOL contains: \\<FQDN domain name>\sysvol\<FQDN domain name>\policies\{<policy GUID>}\[user|machine]\<CSE-specific path>. The "CSE-specific path" might contain user input such as the logon script file name, thus it can also reach a significant length.

The AD FQDN domain name appears in the path twice, due to that the length of an AD FQDN domain name is restricted to 64 characters.

In Windows 2000 and in Windows Server 2003, the maximum host name and the FQDN use the standard length limitations that are mentioned earlier, with the addition of UTF-8 (Unicode) support. Because some UTF-8 characters exceed one octet in length, you cannot determine the size by counting the characters.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
245809 Windows 2000 supports fully qualified domain names up to 64 UTF-8 bytes long
Single-label domain namespaces
Single-label DNS names are names that do not contain a suffix such as .com, .corp, .net, .org or companyname. For example, "host" is a single-label DNS name. Most Internet registrars do not allow the registration of single-label DNS names.

Generally, we recommend that you register DNS names for internal and external namespaces with an Internet registrar. This includes the DNS names of Active Directory domains, unless such names are subdomains of DNS names that are registered by your organization name. For example, "corp.example.com" is a subdomain of "example.com." Registering your DNS name with an Internet registrar may help prevent a name collision. A name collision may occur if another organization tries to register the same DNS name or if your organization merges with another organization that uses the same DNS name.

Problems that are associated with single-label namespaces include the following:
  • Single-label DNS names cannot be registered by using an Internet registrar.
  • Domains that have single-label DNS names require additional configuration.
  • The DNS Server service may not be used to locate domain controllers in domains that have single-label DNS names.
  • By default, Windows Server 2003-based domain members, Windows XP-based domain members, and Windows 2000-based domain members do not perform dynamic updates to single-label DNS zones.
For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
285983 Considerations for designing namespaces in a Windows 2000-based domain
300684 Information about configuring Windows for domains with single-label DNS
For more information regarding single label domains, visit the following Microsoft web site: Microsoft DNS Namespace Planning Solution Center

Disjointed namespaces

Definition of a disjointed namespace
A disjointed namespace occurs when a computer's primary DNS suffix does not match the DNS domain of which it is a member. For example, a disjointed namespace occurs when a machine that has the DNS name of dc1.contosocorp.com is in a domain that has the DNS name of contoso.com.

How disjointed namespaces occur
  1. A Windows NT 4.0 primary domain controller is upgraded to a Windows 2000 domain controller by using the original release version of Windows 2000. In the Networking item in Control Panel, multiple DNS suffixes are defined.
  2. The domain is renamed when the forest is at the Windows Server 2003 forest functional level, and the primary DNS suffix is not changed to reflect the new DNS domain name.
Effects of a disjointed namespace
Suppose a domain controller named DC1 resides in a Windows NT 4.0 domain whose NetBIOS domain name is contoso. This domain controller is upgraded to Windows 2000. When this upgrade occurs, the DNS domain is renamed contoso.com. In the original release version of Windows 2000, the upgrade routine clears the check box that links the primary DNS suffix of the domain controller to its DNS domain name. Therefore, the primary DNS suffix of the domain controller is the DNS suffix that was defined in the Windows NT 4.0 suffix search list. In this example, the DNS name is DC1.northamerica.contoso.com.

The domain controller dynamically registers its service location (SRV) records in the DNS zone that corresponds to its DNS domain name. However, the domain controller registers its host records in the DNS zone that corresponds to its primary DNS suffix.

For more information on diskjoint namespace, see these articles:
258503 Event ID 5788 and event ID 5789 occur when the DNS domain name and the Active Directory domain name differ on a Windows-based computer
http://support.microsoft.com/kb/258503/en-us

http://technet.microsoft.com/en-us/library/cc731929(v=WS.10).aspx

Reserved names
See "Table of reserved words."

Do not use top-level Internet domain names on the intranet, such as .com, .net, and .org. If you use top-level Internet domain names on the intranet, computers on the intranet that are also connected to the Internet may experience resolution errors.

Other factors

Forests that are connected to the Internet
A DNS namespace that is connected to the Internet must be a subdomain of a top-level or second-level domain of the Internet DNS namespace.
Maximum number of domains in a forest
In Windows 2000, the maximum number of domains in a forest is 800. In Windows Server 2003, the maximum number of domains at Forest Functional Level 2 is 1200. This restriction is a limitation of multivalued non-linked attributes in Windows Server 2003.
Best practices
  • Because the DNS names of all the nodes that require name resolution include the Internet DNS domain name for the organization, choose an Internet DNS domain name that is short and easy to remember. Because DNS is hierarchical, DNS domain names grow when you add subdomains to your organization. Short domain names make the computer names easy to remember.
  • If the organization has an Internet presence, use names that are relative to the registered Internet DNS domain name. For example, if you have registered the Internet DNS domain name contoso.com, use a DNS domain name such as corp.contoso.com for the intranet domain name.
  • Do not use the name of an existing corporation or product as your domain name. You can run into a name collision later on.
  • Avoid a very generic name like maybe domain.localhost. Another company you merge with in a few years might follow the same thinking.
  • Do not use an acronym or an abbreviation as a domain name. Users may have difficulty recognizing the business unit that an acronym represents.
  • Avoid the use of underscores (_) in domain names as applications might be very RFC obedient and reject the name, and will not install or work in your domain, and you might experience problems with older DNS servers.
  • Do not use the name of a business unit or of a division as a domain name. Business units and other divisions will change, and these domain names can be misleading or become obsolete.
  • Do not use geographic names that are difficult to spell and remember.
  • Avoid extending the DNS domain name hierarchy more than five levels from the root domain. You can reduce administrative costs by limiting the extent of the domain name hierarchy.
  • If you are deploying DNS in a private network, and you do not plan to create an external namespace, register the DNS domain name that you create for the internal domain. Otherwise, you may find that the name is unavailable if you try to use it on the Internet, or if you connect to a network that is connected to the Internet.

Site names

We recommend that you use a valid DNS name when you create a new site name. Otherwise, your site will be available only where a Microsoft DNS server is used. For more information about valid DNS names, see the "DNS host names" section.
Allowed characters
DNS names can contain only alphabetical characters (A-Z), numeric characters (0-9), the minus sign (-), and the period (.). Period characters are allowed only when they are used to delimit the components of domain style names.

In the Windows 2000 domain name system (DNS) and in the Microsoft Windows Server 2003 DNS, the use of Unicode characters is supported. Other implementations of DNS do not support Unicode characters. Avoid Unicode characters if queries will be passed to the servers that use non-Microsoft implementations of DNS.

For more information, visit the following non-Microsoft Web sites:
http://www.ietf.org/rfc/rfc952.txt
http://www.ietf.org/rfc/rfc1123.txt
Disallowed characters
DNS names cannot contain the following characters:
  • comma (,)
  • tilde (~)
  • colon (:)
  • exclamation point (!)
  • at sign (@)
  • number sign (#)
  • dollar sign ($)
  • percent (%)
  • caret (^)
  • ampersand (&)
  • apostrophe (')
  • period (.)
  • parentheses (())
  • braces ({})
  • underscore (_)
  • white space (blank)
The underscore has a special role, as it is permitted for the first character in SRV records by RFC definition, but newer DNS servers may also allow it anywhere in a name. For more details, see: http://technet.microsoft.com/en-us/library/cc959336.aspx.

More rules are:
  • All characters preserve their case formatting except for ASCII characters.
  • The first character must be alphabetical or numeric.
  • The last character must not be a minus sign or a period.
Minimum name length
1 character.
Maximum name length
63 characters.

The maximum length of the DNS name is 63 bytes per label.

In Windows 2000 and in Windows Server 2003, the maximum host name and the FQDN use the standard length limitations that are mentioned earlier, with the addition of UTF-8 (Unicode) support. Because some UTF-8 characters exceed one octet in length, you cannot determine the size by counting the characters.

For more information on fully qualified domain name character limits, see MSKB article 245809

OU names

Allowed characters
All characters are allowed, even extended characters. However, although Active Directory Users and Computers lets you name an OU with extended characters, we recommend that you use names that describe the purpose of the OU and that are short enough to easily manage. Lightweight Directory Access Protocol (LDAP) does not have any restrictions, because the CN of the object is put in quotation marks.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
886689 The Ntdsutil authoritative restore operation is not successful if the distinguished name path contains extended characters in Windows Server 2003 and in Windows 2000
Disallowed characters
No characters are not allowed.
Minimum name length
1 character.
Maximum name length
64 characters.
Special issues
When the OU at the domain root level has the same name as a future child domain, you might encounter database problems.To illustrate this, consider a scenario where you delete an OU named "marketing" to create a child domain with the same name, e.g. marketing.contoso.com (leftmost label of the child domain FQDN name has the same name).

The OU is deleted and during the tombstone lifetime of the OU you create a child domain that has the same name is created, deleted, and created again. In this scenario, a duplicate record name in the ESE database causes a phantom-phantom name collision when the child domain is re-created. This problem prevents the configuration container from replicating.

Note a similar name conflict might also happen with other RDN name types under certain conditions, not restricted to DC and OU name types:

951323  Error message when you add a group as a member of another group from a different domain in Windows Server 2003 Active Directory: "Directory Service is too busy"

http://support.microsoft.com/default.aspx?scid=kb;EN-US;951323

Table of reserved words

Collapse this tableExpand this table
Reserved words for namesWindows NT 4.0Windows 2000Windows Server 2003 and later
ANONYMOUSXXX
AUTHENTICATED USERXX
BATCHXXX
BUILTINXXX
CREATOR GROUPXXX
CREATOR GROUP SERVERXXX
CREATOR OWNERXXX
CREATOR OWNER SERVERXXX
DIALUPXXX
DIGEST AUTHX
INTERACTIVEXXX
INTERNETXX
LOCALXXX
LOCAL SYSTEMX
NETWORKXXX
NETWORK SERVICEX
NT AUTHORITYXXX
NT DOMAINXXX
NTLM AUTHX
NULLXXX
PROXYXX
REMOTE INTERACTIVEX
RESTRICTEDXX
SCHANNEL AUTHX
SELFXX
SERVERXX
SERVICEXXX
SYSTEMXXX
TERMINAL SERVERXX
THIS ORGANIZATIONX
USERSX
WORLDXXX

Properties

Article ID: 909264 - Last Review: July 22, 2013 - Revision: 17.0
Keywords: 
kbhowto kbinfo KB909264

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com