活动目录设计(六)
A.7 Active Directory Logical Design
A.7.1 Naming convention
The Naming Convention covers all the objects which will be implemented. Naming Convention ensure object name uniqueness in the scope considered.
It is important to consider what type of object will be visible to the end users in order to propose a naming which is appropriate to the corporate culture.
|
Object Type
|
Infrastructure Component
|
Visible to user
|
|
Forest Name |
Active Directory |
No although possible |
|
Windows 2003 Domain Name |
Active Directory |
No although possible |
|
NetBIOS Domain Name |
Active Directory |
Yes
|
|
Organizational Unit (OU) |
Active Directory |
No |
|
Active Directory Site name |
Active Directory |
No |
|
Site Link |
Active Directory |
No |
|
Site Links bridge |
Active Directory |
No |
|
Connection object |
Active Directory |
No |
|
Server name |
Active Directory |
Yes
|
|
Group Name |
Active Directory |
No |
|
GPO Name |
Active Directory |
No |
|
Service Account |
Active Directory |
No |
|
Admin Account |
Active Directory |
No |
|
User or contractor logon name |
Active Directory |
Yes
|
|
User or contractor logon name
(pre-Windows 2000) |
Active Directory |
Yes
|
|
Computer Name |
Active Directory |
Yes
|
|
Print Queue |
Active Directory |
Yes
|
|
File share |
Active Directory |
Yes
|
A.7.1.1 Active Directory Technical Constraints
Active Directory has some limitations on:
Any security principal has to be unique in the Domain. The names of security principals can contain all Unicode characters except the special LDAP characters defined in RFC 2253:
Objects maximum length is specified in bytes as Unicode characters are supported. Individual characters may require more than one byte. It is assumed that only roman characters are used.
Active Directory technical constraints are summarized in the table below:
|
Object Type
|
Length
|
Visible to user
|
|
Pre-windows 2000 logon |
20 |
The pre-windows 2000 logon name cannot contain any of the following characters (as in Windows NT 4.0): /\[]:;|=,+*?<>@"
It must be unique in the Domain.
Active Directory Users and Computers MMC snap-in proposes a pre-Windows 2000 user logon name based on the first 20 bytes of the user logon name. |
|
User logon name |
150 |
The user logon name format is myLoginName@ad.corp
It cannot consist solely of periods (.) or spaces, or end in a period. Any leading periods or spaces are cropped.
It cannot contain the characters # , + " \ < > ; and more than one @ character.
In a Windows Server 2003 forest, it must be unique within the forest. |
|
Group |
64 |
Applies to all group scopes and types.
Cannot contain the characters # , + " \ < > ;
A group cannot consist solely of numbers, periods (.), or spaces. Any leading periods or spaces are cropped. |
|
NetBIOS computer name |
15 |
Cannot contain the characters # , + " \ < > ;
A computer name cannot consist solely of numbers, periods (.), or spaces. Any leading periods or spaces are cropped. |
|
DNS computer name |
63 |
The maximum length of the machine DNS hostname is 63 characters.
The maximum length of the fully qualified domain name (FQDN) is 255 characters including periods (.). |
A.7.1.2 Guidelines and Recommendations
The naming convention should be friendly and easy to apply. Give examples to ease understanding.
Dot not use special characters as: ~ “ ‘ ° & # % $ £ § µ < > , ; : @ ` ^ | = ! ? / \ * + ( ) [ ] {} space and period. Recommendation is to support the set of characters defined in DNS RFC 1123.
The country code, if used, should be the ISO 3166 country code.
Design Decision
Reuse existing XXX France Naming Convention for Asia Naming Convention where applicable.