CalNetAD Naming Standards

Version 1.3

Updated: 09/17/2003

1. Introduction
2. Computer Names
3. User Account Names
4. Security and Distribution Groups
5. Group Policy Objects (GPOs)
6. CalNetAD Organization Prefixes

1. Introduction

We anticipate that many departments and units, large and small, on the Berkeley Campus will elect to join the CalNetAD forest. Most of the administrative responsibilities in the forest will be delegated to system administrators in these departments and units who will be creating Active Directory resources, with their associated names. These naming standards are meant to maintain an orderly forest, to ease recoginition of forest resources, and to help avoid naming collisions.

2. Computer Names

Windows 2000 computers have two names; a Fully Qualified Domain Name (FQDN) name, and a "pre-Windows 2000",  NetBIOS name.  In most cases, the host portion of two names will be identical and will be based upon the campus DNS name assigned to the campus IP address used by a machine. 

However, naming collisions can occur when computer names are moved into the CalNetAD.

Example 1: Computer with hostname ad-host1, DNS name ad-host1.berkeley.edu, located in the COIS OU in Active Directory

COMPUTER NAME: ad-host1 
DNS NAME: ad-host1.berkeley.edu
DN: cn=ad-host1,ou=COIS,dc=campus,dc=berkeley,dc=edu

Example 2: Computer with hostname ad-host1, DNS name ad-host1.coe.berkeley.edu, located in the COEDEAN OU in Active Directory

COMPUTER NAME: ad-host1
DNS NAME: ad-host1.coe.berkeley.edu
DN: cn=ad-host1,ou=COEDEAN,dc=campus,dc=berkeley,dc=edu

The "pre-Windows 2000", or NetBIOS, computer name is really the "account" name for the computer, and must be unique within the Windows 2000 domain in which it resides. In the two examples above, the account name 'ad-host1' is already taken by the machine in the COIS OU in Example 1. Thus, the machine in the COEDEAN OU in the second example will need to request a DNS name change to another, unique name.

Because WINS-based browsing services are still being used on campus, choosing a computer name that is unique throughout the entire Berkeley campus environment is highly recommended, to avoid WINS name collisions.  CNS can help with unique name selection.

For compatibility with "pre-Windows 2000" operating systems, the length of the "pre-Windows 2000", or NetBIOS, computer name is limited to 15 characters. 

3. User Account Names

As is the case with computers, a Windows user object has two names; a user "distinguished name", and an "account name".  The account name must be unique within the CalNetAD domain, while the user distinguished name, which serves as the Relative Distinguished Name (RDN) of the user in the Active Directory, must be unique within the Active Directory container in which it resides.

For users with a CalNetID, the user's Windows 2000 account name should be identical to the user's CalNetID.

For users who do not possess a CalNetID, the Windows 2000 user account name must be prefixed by bang (!) followed by the OU prefix and the user id, for example !OE-jdoe.  Since bangs are not allowed in CalNetID's, these non-uniqname Windows 2000 user names will not conflict with uniqname-based accounts that may be created in the future.

Example: mycalnetid (uniqname-based CalNetAD user account name)
Example: !OU-localname (non-uniqname CalNetAD user account name)

For users with a CalNetID, the CalNetID is used for both the user "distinguished name" and the "account name".   By using the uniqname as a distinguished name, we avoid name collisions within the CalNetAD forest that would otherwise result if full user names were used. For compatibility with "pre-Windows 2000" operating systems, the length of the "pre-Windows 2000", or NetBIOS, the account name is limited to 15 characters.

4. Security and Distribution Groups

A Windows 2000 Active Directory group may be one of six types.  Two broad categories, "security" and "distribution", define the general type of the group.  Each of these two types is further defined as either "domain local", "global" or "universal".  See the Microsoft paper Active Directory User, Computers and Groups for a more detailed explanation of Active Directory groups.

The CalNetAD recommended naming standard for Active Directory security and distribution group names is:

Active Directory group types are:
 

group types (tt)
ls	domain local security
gs	global security
us	universal security
ld	domain local distribution
gd	global distribution
ud	universal distribution

Example: COIS-OU Admins-gs

Because Active Directory groups are replicated across the network, they must be populated in ways that minimize network replication.  Try to use global and domain local groups where possible.  If you have a need to create a universal group, do not populate the universal group with individual users.  Instead, use the names of other groups to build the universal group membership.

Note: All group types in AD are displayed with the same group icon, which can be visually confusing.  The Active Directory Users and Computers console does shows the group type field, however testing has shown that after making changes to an individual group, the user interface no longer displays the group type field description.  This can cause confusion and lead to error, which is why we include the group type as part of the group naming scheme. Using this scheme will help prevent Administrators from choosing the wrong group when they are managing groups within groups, in their own domain and across other domains.

5. Group Policy Objects (GPOs)

The naming convention for Group Policy Objects is to use a CalNetAD OU Name as a prefix for all Group Policy names.  For instance, "COIS staff policy", or "HAAS lab 300 policy".  Using Group Policy names prefixed with your CalNetAD OU Name will reduce the likelihood that similarly named Group Policy objects will be confused with one-another. 

6. CalNetAD OU Names

A list of the CalNetAD OU names and prefixes is available here.