This has been a fun topic of discussion on Server Fault. There appear to be varying "religious views" on the topic.
I agree with Microsoft's recommendation: Use a sub-domain of the company's already-registered Internet domain name.
So, if you own foo.com
, use ad.foo.com
or some such.
The most vile thing, as I see it, is using the registered Internet domain name, verbatim, for the Active Directory domain name. This causes you to be forced to manually copy records from the Internet DNS (like www
) into the Active Directory DNS zone to allow "external" names to resolve. I've seen utterly silly things like IIS installed on every DC in an organization running a web site that does a redirect such that someone entering foo.com
into their browser would be redirected to www.foo.com
by these IIS installations. Utter silliness!
Using the Internet domain name gains you no advantages, but creates "make work" every time you change the IP addresses that external host names refer to. (Try using geographically load-balanced DNS for the external hosts and integrating that with such a "split DNS" situation, too! Gee-- that would be fun...)
Using such a subdomain has no effect on things like Exchange email delivery or User Principal Name (UPN) suffixes, BTW. (I often see those both cited as excuses for using the Internet domain name as the AD domain name.)
I also see the excuse "lots of big companies do it". Large companies can make boneheaded decisions as easily (if not moreso) than small companies. I don't buy that just because a large company makes a bad decision that somehow causes it to be a good decision.
In AD the CN (initiall derived from Display Name when an account is created) must be unique within the same OU. The reason is that the DistinguishedName value must be unique and the DistinguishedName is composed of the domain\ou(s)\CN so if the domain is the same and the ou is the same, the CN must be different. When you first create a user in AD the First and Last name are combined to form the CN and the displayName attributes (Last, First), but these can be changed after creation as in the example below.
Example workaround:
If you have two user's with the same name that need to go in the same OU you would do the following.
- Create the first user Joe Smith (DN will be
yourdomain.com\Accounting"Smith, Joe")
- Rename "Smith, Joe" to something like "Smith, Joe L" (DN will be
yourdomain.com\Accounting"Smith, Joe L."
- Create the second user Joe Smith (DN will be
yourdomain.com\Accounting"Smith, Joe")
- At this point you can let the second joe smith stay "Smith, Joe" or
you can change it like in step 2.
This is fundamental LDAP behavior - not just AD. The DN is the unique identifier - kind of similar to a URL.
If it didn't work this way then when searched for (dn=mydomain.com\Users\Accounting\Smith, Joe) you would get back two user objects assuming you had two Joe Smith users in the Accounting OU.
To avoid this problem some organizations will sometimes use an employee ID as the CN which is always unique. This doesn't effect the user's name which is derived from the sn and givenName attributes.
Best Answer
Here are the documents you're looking for:
User and Group Accounts
Computers, Domains, Sites, and OUs
Basically, user names can contain a single quote character, but computer names cannot.
These documents are very old, but if that's the way it was in Win2000, you can bet current versions retain the limitations for backward compatibility.