Active Directory - Naming Context

Knowledge-Base Questions & Answers

What is NC (Naming Context)?

Each DC (Domain Controller) in a domain forest controlled by AD DS (Active Directory Domain
Services) includes directory partitions. Directory partitions are also known as NCs.

What are predefined NC of AD (Active Directory)?

There are three predefined Naming Contexts within AD:
- Schema NC (forest level):
o Schema NC contains information about the AD schema, which defines the different
object classes and attributes within AD.
o It is replicated to every DC in the forest.
- Configuration NC (forest level):
o Configuration NC contains forest-wide configuration information relating to the physical
design of AD.
o It is replicated to every DC in the forest.
- Domain NC (domain level):
o Domain NC that contains the most commonly accessed AD data (for example, users,
groups, and computers).
o It is replicated to every DC within a single AD domain.

What types of NC AD uses?

There are following types of NC, which AD uses:
- DN (Distinguished Name)
- RDN (Relative Distinguished Name)
- Domain Component
- OU (Organizational Unit)
- CNAME (Canonical Name)
- UPN (User Principal Name)

What is DN (Distinguished Name)?

- Each object in the directory has a DN that is globally unique in a forest, similar to FQDN (Fully
Qualified Domain Name), and identifies not only the object itself, but also where the object
resides in the entire object hierarchy.
- Two objects with the same DN cannot exist.
- If AD object is moved to another container, its DN will be changed to reflect its new position in
the hierarchy.
- Example of DN:
CN=TestUser,CN=Users,DC=abc,DC=com
In this example, DN indicates that user object TestUser is in the Users container, which is
located in the abc.com domain.

What is RDN (Relative Distinguished Name)?

1
- RDN is the name, which is used to uniquely reference to object within its parent container in
the directory.
- Example of RDN:
CN=TestUser

What is Domain Component?

Domain Component identifies the part of the DNS (Domain Name System) name of the domain,
such as .com or .org.

What is OU (Organizational Unit)?

- OU is using for building a hierarchy within the AD domain.
- It is the smallest unit that can be used to create administrative groups and give a platform for
applying group policy security on users and groups on it.
What is CNAME (Canonical Name)?
- CNAME identifies name configured for an AD object.
- It is used almost in the same way as the DN, but CNAME uses different syntax and presents the
root of the path first and works downward toward the object name.
- CNAME does not use the LDAP (Lightweight Directory Access Protocol) attributes.
- Example of CNAME:
abc.com/Users/TestUser

What is UPN (User Principal Name) in AD?

- UPN is generated for each object is in the form of email address format
(username@domain_name).
- Users can log on with their UPN.
- UPN should be unique, but AD does not enforce this requirement.
- It is not the same as an e-mail address. Sometimes, a UPN can match a user's email address,
but this is not a general rule.
- For example, user@domain.com consists of:
o user name (logon name)
o separator (the @ symbol)
o domain name (UPN suffix)

What is a GUID (Globally Unique Identifier)?

- AD uses GUID internally to identify the object.
- When new domain users, group accounts or any other AD objects are created, AD stores the
account's SID (Security Identifier) and assigns to the new object a unique GUID.

What is SPN (Service Principal Name) in AD?

- SPN is the unique identifier of a service instance.
- It used by Kerberos authentication to associate a service instance with a service logon account.