Unity Domain Naming Conventions
What's in a name? That which we call a rose
By any other name would smell as sweet.

William Shakespeare

In order to keep the Unity Active Directory domain smelling sweet, some basic naming conventions need to be used by everyone who administers objects or computers in the Unity domain.

These naming conventions are not meant to make your job harder.  In fact, just the opposite.  These conventions will make it easier for you to know the function an Active Directory object performs and who is responsible for it just by looking at the name.  These conventions will also be easier for you to name the objects and computers you create.

Object
Type
Prefix
Case
Prefix
Separator
Maximum
Length
 Example
User Accounts
Lower
Period (.)
20 characters
cals.classroom-admin
Computer Accounts
Lower
Hyphen (-)
15 characters
unity-afc-pc01
Groups
Upper
Underscore (_)
64 characters
CNR_Grad Students
Group Policy Objects
Upper
Hyphen (-)
255 characters
PAMS-Set desktop background

Department Prefixes

The naming conventions described below require domain objects be named with a department prefix.  User, computer, group, and group policy objects must have unique names across the entire domain.  A prefix helps to ensure that objects created by different departments don't conflict with each other.

For computer objects, the prefix is determined by the DNS domain the computer is registered in.  For user, group, and group policy objects, the prefix is determined by the DNS domain that the Active Directory administrator's department primarily uses.

Click HERE for the list of Unity domain prefixes.

Prefixes for NCSU DNS Domains

Use the first part of the DNS domain name omitting ".ncsu.edu".  For example, the Zoology department primarily uses "zo.ncsu.edu" for its DNS domain name.  Its Unity domain prefix would be "zo".

Some departments may work with multiple NCSU DNS domains.  For example, ITECS may primarily use "itecs.ncsu.edu" for their own computers, but support clients with computers registered in other DNS domains such as "coe.ncsu.edu".  The user, group, and group policy objects that ITECS creates would use the "itecs" prefix.  The computer objects would use the prefix of the DNS domain where they're registered - "coe".

If an NCSU DNS domain name has multiple parts before ".ncsu.edu", use the DNS parts that come before "ncsu.edu" and replace the periods with hyphens.  For example, a workstation registered in "unity.ad.ncsu.edu" should use the prefix "unity-ad".

This convention is intended to ensure uniqueness while being simple and easy to use.  Most NC State DNS domain names begin with well-known acronyms for campus departments.  Using these for the prefix makes it easy to identify the department that owns a particular Active Directory object.

Determining the Prefix for Outside DNS Domains

If a computer is not registered anywhere in the "ncsu.edu" DNS namespace or if your department doesn't primarily use a DNS domain ending with "ncsu.edu", the procedure to determine the prefix is a slightly different.

To determine the prefix you should use if the DNS domain does not end with ".ncsu.edu":

  1. Take the DNS domain name
  2. Remove the top-level domain name and right-most period (.edu, .net. .com, etc.)
  3. Replace any remaining periods (.) with hyphens (-)

For example, the North Carolina 4H department uses "nc4h.org".  Its prefix would be "nc4h".  You may have a computer that uses a RoadRunner DNS name ending with "nc.rr.com".  The prefix for RoadRunner computers would be "nc-rr".

Prefix Length

There are some DNS domains result in a prefix that is longer than 4 or 5 characters.  For example, "classtech.ncsu.edu" should use "classtech" as its prefix according to the convention.  The maximum name length of some Active Directory objects is very small (15 characters for computer name).  Exceptions to the prefix convention can be made as long as you request one and it is recorded on the the list of prefixes.

Prefix Examples

Here are some more prefix examples:

DNS Domain Computer Name Prefix
unity.ncsu.edu
unity
unity.ad.ncsu.edu
unity-ad
classtech.ncsu.edu
class (Exception)
cnr.ncsu.edu
cnr
dyndns.org
dyndns
nc.rr.com
nc-rr

 

User Accounts

Active Directory requires that user account names be unique across the entire domain even if the objects reside in different OUs.  For example, two departments cannot each create a user named "admin" in their own OU.  Active Directory won't allow the 2nd user to be created.  This naming convention will prevent such collisions from occurring.

Unity Accounts

Accounts under the Unity Users OU are named according to the following guidelines:

http://www.ncsu.edu/it/essentials/your_unity_account/loginid.html

Other Accounts

Departments are free to create as many user accounts as they'd like as long as the account names adhere to this naming convention:

User Account Naming Convention
Field:
<Department Prefix>
<Period>
<Descriptor>
Case:
Lower
Punctuation
Mixed
Maximum Overall Length: 20 characters

Legal Characters
Everything EXCEPT These:
  • Slash (/)
  • Backslash (\)
  • Left Square Bracket ([)
  • Right Square Bracket (])
  • Colon (:)
  • Semicolon (;)
  • Vertical Bar (|)
  • Equal Sign (=)
  • Comma (,)
  • Plus Sign (+)
  • Asterisk (*)
  • Question Mark (?)
  • Less-Than Sign (<)
  • Greater-Than Sign (>)
  • Ampersand (@)
  • Double Quotation Mark (")

 

User Account Name Prefix

User account names must begin with a department prefix followed by a period (.) in order to ensure that the names are unique across the domain.  The department prefix is based on the DNS domain that the Active Directory administrator's department primarily uses.  The prefix for user account names be lowercase for consistency. 

User Account Name Descriptor and Length

The descriptor is determined by the Active Directory administrator creating the account.  The descriptor can be anything as long as the entire user account name is 20 characters or less and all account names beginning with a department's prefix are unique.

User Account Name Character Restrictions

It is recommended that the illegal characters listed above not be used.  Active Directory will allow you to create a user account name containing illegal characters but will replace the illegal characters in the account's pre-Windows 2000 logon name with underscores:

Illegal User Name Characters

User Account Name Examples

Here are some examples of user account names that adhere to the naming convention:

User Account Name Examples
itd.admin
itd.abrose
itd.Web Service
cals.admin
cals.HelpDesk
itecs.lab-admin

Computer Accounts

Active Directory requires that computer account names be unique across the entire domain even if the objects reside in different OUs.  For example, two users cannot each join a computer named "laptop" to the domain even if the computer objects are created in different OUs.  This naming convention will prevent such collisions from occurring.

Computers account names must adhere to this naming convention:

Computer Account Naming Convention
Field:
<Department Prefix>
<Hyphen>
<Descriptor>
Case:
Lower
Punctuation
Mixed
Maximum Overall Length: 15 characters

Legal Characters
  • Letters (a..z, A..Z)
  • Numbers (0..9)
  • Hyphens (-)

Computer Account Name Prefix

Computer account names must begin with a prefix followed by a hyphen (-) in order to ensure that computer account names are unique across the domain.  The prefix is based on the DNS domain that the computer is registered in.  The prefix for computer account names be lowercase for consistency. 

Computer Account Name Descriptor

The descriptor is determined by the department's Active Directory administrators.  It can be anything as long as the entire computer account name adheres to the length and character restrictions described next.

Computer Account Name Character Restrictions

Computer account names must only contain letters, numbers, and hyphens in order to adhere to the DNS naming specification.  DNS is more strict than Windows and Active Directory regarding the characters that can be used for computer names.  According to the DNS specification in RFC 952:

A "name" (Net, Host, Gateway, or Domain name) is a text string up to 24 characters drawn from the alphabet (A-Z), digits (0-9), minus sign (-), and period (.). Note that periods are only allowed when they serve to delimit components of "domain style names".

Although not recommended, Windows will allow you to set a computer name containing "non-standard" characters such as an underscore (_).  If you do so, the following warning will be shown:

Computer name contains one or more non-standard characters

In addition to the non-standard characters, there are several illegal characters that are not allowed to be used in computer names.  The following error will be shown if you attempt to set a computer name with an illegal character:

New computer name contains characters which are not allowed

Computer Account Name Length Restrictions

The overall length of a computer account name must be 15 characters or less including the prefix.  Active Directory uses the first 15 characters of the computer name to form the computer's logon name.  Computers log on to the domain just as users do.  Computer objects are actually a sub-class of user objects.

Windows will allow you to enter a name longer than 15 characters but the following warning will be shown:

The NetBIOS name of the computer is limited to 15 bytes

It is important to adhere to the 15-character limit to avoid name collisions.  For example, the following two computer names would conflict because the first 15 characters are identical.  One of the machines could not be a member of the domain:

Computer Name Active Directory Account Name
itd-aventferry01
itd-aventferry0$
itd-aventferry02
itd-aventferry0$

One of two things will happen if you attempt to join a computer to the domain when a computer account with the same name (or same first 15 characters) already exists in the domain.  If the user who enters his/her credentials to join the 2nd computer to the domain does not have permissions on the existing computer object, the following message will be shown:

The following error occurred attempting to join the domain: Access is denied.

The person trying to join the 2nd computer to the domain will have to change the computer name in order to proceed. 

The other situation is less desirable.  If the user has sufficient permissions on the existing object, the 2nd computer being joined to the domain will take over the the computer object and the computer originally in the domain will no longer function as a domain member.  The following message will be shown when a domain user attempts to logon to the 1st workstation:

Windows cannot connect to the domain

DNS and Windows Computer Name Mismatches

This naming convention means that computers already registered in NCSU's DNS system are registered with names that don't adhere to this naming convention.  We are investigating whether or not this will cause problems if a computer's Windows/Active Directory name doesn't match its DNS name.  For example, a computer registered as "pc01.unity.ncsu.edu" should use the Windows and Active Directory computer name "unity-pc01" per the convention.  Ideally, this computer should be registered in DNS as "unity-pc01.unity.ncsu.edu".  At the current time, we don't know if a computer named "unity-pc01" but registered in DNS as "pc01" causes any problems.  If we do determine that this causes significant problems, we will provide a method to easily change DNS registrations to match the naming convention.  We certainly don't want administrators to have to manually change the DNS registration for every computer they manage.

Computer Account Name Examples

Here are some examples of computer account names that adhere to the naming convention:

Computer Account Name Examples
DNS Hostname
Computer Name Prefix
Computer Name
urlacher.unity.ncsu.edu
unity-
unity-urlacher
fox104.classtech.ncsu.edu
class- (Exception)
class-fox104
shah135m.bae.ncsu.edu
bae-
bae-shah135m
pc01.vcl.ncsu.edu
vcl-
vcl-pc01
gocubs.dyndns.org
dyndns-
dyndns-gocubs
n-503ral.nc.rr.com
nc-rr-
nc-rr-n-503ral

 

Groups

Active Directory requires that group names be unique across the entire domain even if the group objects reside in different OUs.  For example, two departments cannot each have groups named "Administrators" even if they reside in different OUs.  This naming convention will prevent such collisions from occurring.

Departments are free to create as many groups as they'd like as long as the account names adhere to this naming convention:

Group Naming Convention
Field:
<Department Prefix>
<Underscore>
<Descriptor>
Case:
Upper
Punctuation
Mixed
Maximum Overall Length: 64 characters

Legal Characters
Everything EXCEPT These:
  • Slash (/)
  • Backslash (\)
  • Left Square Bracket ([)
  • Right Square Bracket (])
  • Colon (:)
  • Semicolon (;)
  • Vertical Bar (|)
  • Equal Sign (=)
  • Comma (,)
  • Plus Sign (+)
  • Asterisk (*)
  • Question Mark (?)
  • Less-Than Sign (<)
  • Greater-Than Sign (>)
  • Double Quotation Mark (")

Group Name Prefix

Group names must begin with a department prefix followed by an underscore (_) in order to ensure that names are unique across the domain.  The department prefix is based on the DNS domain that the department primarily uses.  The prefix for group names be UPPERCASE for consistency. 

Group Name Descriptor and Length

The descriptor is determined by the department's Active Directory administrators.  The descriptor can be anything as long as the entire group name is 64 characters or less and all group names beginning with a department's prefix are unique.

Group Name Character Restrictions

It is recommended that the illegal characters listed above not be used.  Active Directory will allow you to create a group containing illegal characters but will replace any illegal characters in the pre-Windows 2000 group name with underscores:

Illegal group characters

Group Name Examples

Here are some examples of group names that adhere to the naming convention:

Group Name Examples
CALS_Lab-Admins
ITD_Helpdesk_Staff
ITD_Unity Home Directory Admins

Group Policy Objects (GPOs)

Active Directory requires that group policy object (GPO) names be unique.  GPOs do not actually reside in containers across the domain, but in a single container called "Policies" under the "System" container.  Each GPO resides in a container named after the policy's unique ID but the descriptive names still have to be unique.

The following message will appear if you try to create a GPO with a name that has already been given to another GPO in the domain:

GPO with that name already exists. Choose another name.

Departments are free to create as many group policy objects as they'd like as long as they adhere to this naming convention:

GPO Naming Convention
Field:
<Department Prefix>
<Hyphen>
<Descriptor>
Case:
Upper
Punctuation
Mixed
Maximum Overall Length: 255 characters

Legal Characters
All characters

GPO Name Prefix

GPO names must begin with an UPPERCASE department prefix followed by a hyphen (-).  The department prefix is based on the DNS domain that the department primarily uses.  GPO name prefixes should be UPPERCASE! This is for aesthetic reasons.  GPO names should be consistently formatted for the benefit and sanity of all who administer the domain.  GPOs created by all departments appear in a single list in the Group Policy Management Console:

GPO list in Group Policy Management Console

GPO Descriptor and Length

The descriptor is determined by the department's Active Directory administrators.  The descriptor can be anything as long as the entire GPO name is 255 characters or less.

The descriptor should be written so that it is obvious to others exactly what your GPO does.  Avoid using abbreviations that are not known by everyone.  Create well-formatted, well-punctuated, consistent descriptors.

You should also create a convention within your department for your descriptors so that all of your GPOs that perform similar functions are formatted the same and appear next to each other in the list.  Establishing consistent fields that follow the prefix such as "Lab" or "Internal" will help you organize your GPOs.

GPO Name Character Restrictions

You can use any character on the keyboard for GPO names.

GPO Name Examples

Here are some well-formatted GPO name examples:

GPO Name Examples
Unity-Clear %TEMP% and %SystemRoot%\Temp at startup and shutdown
ITD-Test-ARK-Set desktop background color
ITD-Firewall-Exception-Server-KMS service

"Unity" and "ITD" GPOs

ITD's Microsys group creates GPOs beginning with either a "UNITY-" or "ITD-" prefix.  This is done to distinguish GPOs that are intended to be used in the general lab environment by multiple departments from those intended to only be applied to ITD's computers and users.

GPOs beginning with "UNITY-" are intended for the general lab environment that we provide and support.  These policies are applied to all of ITD's Unity lab computers.  In most cases, other departments will want to apply them to the labs they manage.

GPOs beginning with "ITD-" are intended to be applied to ITD's lab computers or to ITD's internal users, computers, or servers.  GPOs beginning with "ITD-Lab-" are applied to ITD's Unity labs but perform some department-specific task such as adding ITD's contact information to the computer.

 

Written By: Andy Kurth
2/8/2007

About Microsys | Accessibility in our Services | Feedback | Microsys RSS Feeds | February 12, 2007