The basics of naming objects within a directory.<\/p>\n
In the previous part of this article series, I explained that the LDAP protocol references objects in the Active Directory by their distinguished name, and that every object in the directory has its own unique distinguished name. In this article, I want to continue the discussion by explaining how distinguished names work.<\/p>\n
Before I get started, I just want to remind you that distinguished names are not unique to the Active Directory. Microsoft built the Active Directory to take advantage of industry standards which are used by other companies such as Novell and IBM. By learning how distinguished names work, you will not only be better prepared to manage an Active Directory environment, you will also have some degree of familiarity if you are ever asked to work with a non Microsoft network operating system.<\/p>\n
Distinguished names are made up of attributes, which are assigned values. A single distinguished name almost always contains multiple attribute value pairs. To see what I am talking about, let\u2019s look at a simple distinguished name:<\/p>\n
CN=User1, CN=Users, DC=Contoso, DC=com<\/em><\/p>\n In this particular example, the distinguished name is made up of four different attribute \/ value pairs, each of which are separated by a comma. The first attribute \/ value pair is CN=USER1. In this attribute \/ value pair, CN (which stands for Common Name) is the attribute and User1 is the value. Attributes and values are always separated by the\u00a0equals sign, and attribute \/ value pairs are always separated from each other by commas.<\/p>\n When you look at a distinguished name such as CN=User1, CN=Users, DC=Contoso, DC=com, one thing probably becomes immediately apparent; distinguished names can be really long. If you take a closer look at this distinguished name, you will notice that it is hierarchical. In this particular case, DC=com represents the highest level of the hierarchy. DC=Contoso represents the second level of the hierarchy. You can tell that COM and Contoso are both domains because both use the DC attribute. The domain hierarchy mimics the domain hierarchy used by DNS servers (you learned about the DNS hierarchy earlier in this series).<\/p>\n It is important to understand how the distinguished name hierarchy works for two reasons. First, by understanding the naming hierarchy, it becomes possible to know exactly where a particular object is located within the directory. The other reason why it is important to understand the nature of the directory hierarchy is because sometimes shortcuts are used in lieu of a full distinguished name.<\/p>\n To see what I am talking about, let\u2019s take another look at our example distinguished name: CN=User1, CN=Users, DC=Contoso, DC=com. This distinguished name simply refers to a user account (more precisely known as a user object) named User1. The rest of the information in the distinguished name simply tells us the object\u2019s position within the directory hierarchy.<\/p>\n If you were trying to tell another person about this object, you would probably casually refer to it as User1. Sometimes LDAP does the same thing. This is possible because it isn\u2019t necessary to provide information about an object\u2019s location in the hierarchy if the location is already known.<\/p>\n For example, if we are performing some operation on user objects located in the Users container in the Contoso.com domain, is it really necessary to explicitly state that every single object is located in the Contoso.com domain\u2019s Users container?<\/p>\n In situations like this, the distinguished name is often replaced by a Relative Display Name (abbreviated RDN). In the case of CN=User1, CN=Users, DC=Contoso, DC=com, the RDN is CN=User1. The RDN is always made up of the most specific identifier. This will be the left most attribute \/ value pair in the distinguished name. The remaining portion of the distinguished name is known as the parent distinguished name. In this particular case, the parent distinguished name would be CN=Users, DC=Contoso, DC=com.<\/p>\nRelative Distinguished Names<\/h2>\n