1. Introduction2. Computer
Names3. User Account Names4.
Security and Distribution Groups5. Group Policy Objects
(GPOs)6. CalNetAD Organization Prefixes
We anticipate that many departments and units, large and small, on the Berkeley Campus will elect to join the CalNetAD forest. Most of the administrative responsibilities in the forest will be delegated to system administrators in these departments and units who will be creating Active Directory resources, with their associated names. These naming standards are meant to maintain an orderly forest, to ease recoginition of forest resources, and to help avoid naming collisions.
Windows computers have two names; a Fully Qualified Domain Name (FQDN) name, and a "pre-Windows 2000", NetBIOS name. In most cases, the host portion of two names will be identical and will be based upon the campus DNS name assigned to the campus IP address used by a machine.
However, naming collisions can occur when computer names are moved into the CalNetAD.
Example 1: Computer with hostname ad-host1, DNS name ad-host1.ist.berkeley.edu, located in the EEI OU in Active Directory
COMPUTER NAME: ad-host1 DNS NAME: ad-host1.ist.berkeley.eduDN: cn=ad-host1,ou=EEI,dc=campus,dc=berkeley,dc=edu
Example 2: Computer with hostname ad-host1, DNS name ad-host1.coe.berkeley.edu, located in the COEDEAN OU in Active Directory
COMPUTER NAME: ad-host1DNS NAME: ad-host1.coe.berkeley.eduDN: cn=ad-host1,ou=COEDEAN,dc=campus,dc=berkeley,dc=edu
The "pre-Windows 2000", or NetBIOS, computer name is really the "account" name for the computer, and must be unique within the Windows 2000 domain in which it resides. In the two examples above, the account name 'ad-host1' is already taken by the machine in the EEI OU in Example 1. Thus, the machine in the COEDEAN OU in the second example will need to request a DNS name change to another, unique name.
For compatibility with "pre-Windows 2000" operating systems, the length of the "pre-Windows 2000", or NetBIOS, computer name is limited to 15 characters.
As is the case with computers, a Windows user object has two names; a user "distinguished name", and an "account name". The account name must be unique within the CalNetAD domain, while the user distinguished name, which serves as the Relative Distinguished Name (RDN) of the user in the Active Directory, must be unique within the Active Directory container in which it resides.For users with a CalNetID, the user's Windows account name should be identical to the user's CalNetID.For users who do not possess a CalNetID, the Windows user account name must be prefixed by pvt or svc followed by the OU Prefix and the user id, for example pvt-joe or svc-joe. Since pvt or svc are not allowed in CalNetID's, these non-uniqname Windows user names will not conflict with uniqname-based accounts that may be created in the future.Example: mycalnetid (uniqname-based CalNetAD user account name)Example: pvt-localname (non-uniqname CalNetAD user account name)Example: svc-localname (non-uniqname CalNetAD user account name)
For users with a CalNetID, the CalNetID is used for both the user "distinguished name" and the "account name". By using the uniqname as a distinguished name, we avoid name collisions within the CalNetAD forest that would otherwise result if full user names were used. For compatibility with "pre-Windows 2000" operating systems, the length of the "pre-Windows 2000", or NetBIOS, the account name is limited to 15 characters.
A Windows Active Directory group may be one of six types. Two broad categories, "security" and "distribution", define the general type of the group. Each of these two types is further defined as either "domain local", "global" or "universal". See the Microsoft Technet Article on Active Directory Groups for a more detailed explanation of Active Directory groups.
The CalNetAD recommended naming standard for Active Directory security and distribution group names is:
CalNetAD OU name
type of group ( ls, gs, us, ld, gd, ud ) See Note, below
descriptive name which explains the purpose of the group
Active Directory group types are:
group types (tt)
domain local security
domain local distribution
Example: EEI-OU_ Admins-gsBecause Active Directory groups are replicated across the network, they must be populated in ways that minimize network replication. Try to use global and domain local groups where possible. If you have a need to create a universal group, do not populate the universal group with individual users. Instead, use the names of other groups to build the universal group membership.
Note: All group types in AD are displayed with the same group icon, which can be visually confusing. The Active Directory Users and Computers console does shows the group type field, however testing has shown that after making changes to an individual group, the user interface no longer displays the group type field description. This can cause confusion and lead to error, which is why we include the group type as part of the group naming scheme. Using this scheme will help prevent Administrators from choosing the wrong group when they are managing groups within groups, in their own domain and across other domains.
The naming convention for Group Policy Objects is to use a CalNetAD OU Name as a prefix for all Group Policy names. For instance, "EEI staff policy", or "HAAS lab 300 policy". Using Group Policy names prefixed with your CalNetAD OU Name will reduce the likelihood that similarly named Group Policy objects will be confused with one-another.
A list of the CalNetAD OU names and prefixes is available here requires CalNet authentication.