Why does Windows call itself NT internally

Naming conventions in Active Directory for computers, domains, websites, and organizational areas

  • 16 minutes to read

This article describes the Windows computer account naming conventions, NetBIOS domain names, DNS domain names, Active Directory websites, and organizational units (OUs) that are defined in the Active Directory directory service.

Applies to: Windows Server 2012 R2
Original KB number:   909264

Summary

This article covers the following topics:

  • The valid characters for names
  • The minimum and maximum lengths of the name
  • Reserved names
  • Names that are not recommended
  • General recommendations based on Active Directory support in small, medium, and large deployments

All objects named in Active Directory or in AD / AM and LDS are subject to name matching based on the algorithm described in the following article:

You cannot add a user name or an object name that has only a diacritical mark.

In this article, this naming convention applies to computer, organization, and website names.

Computer names

NetBIOS computer names

  • Allowed characters

    NetBIOS computer names can contain any alphanumeric characters except the extended characters that appear under Not allowed characters are listed. Names can contain a period, but names cannot begin with a period.

  • Invalid characters

    NetBIOS computer names cannot contain the following characters:

    • backslash (\)

    • Slash (/)

    • Colon (:)

    • Asterisk (*)

    • Question mark (?)

    • Quotation marks (")

    • smaller than Sign (<)

    • greater than sign (>)

    • vertical bar (|)

      Names can contain a period (.). However, the name cannot begin with a period. The use of non-DNS names with time periods is allowed in Microsoft Windows NT. Periods should not be used in Microsoft Windows 2000 or later versions of Windows. If you are upgrading a computer whose NetBIOS name includes a period of time, change the computer name. For more information, see special character.

      In Windows 2000 and later Windows, computers that are members of an Active Directory domain cannot have names that are made up entirely of numbers. This limitation is due to DNS restrictions.

      For more information about the NetBIOS name syntax, see NetBIOS Name Syntax.

  • Minimum name length: 1 character

  • Maximum name length: 15 characters

    Note

    The 16th character is reserved to identify the functionality installed on the registered network device.

  • Reserved names

    See table of reserved words.

  • Special characters: period (.)

    A period character separates the name into a NetBIOS realm ID and the computer name. The NetBIOS Realm ID is an optional string of characters that identify NetBIOS logical networks running on the same physical TCP / IP network. For NetBIOS to work between computers, the computers must have the same NetBIOS realm and unique computer name.

    Using NetBIOS realm in names is a legacy configuration. It should not be used with Active Directory forests. For more information on NetBIOS realm, visit the following websites:

DNS host names

  • Allowed characters

    DNS names can only contain alphabetic characters (A-Z), numeric characters (0-9), the minus sign (-), and the period (.). Period characters are only allowed when used to separate the components of domain names.

    The Windows 2000 Domain Name System (DNS) and Windows Server 2003 DNS support Unicode characters. Other implementations of DNS do not support Unicode characters. Avoid Unicode characters when submitting queries to the servers that use NON-Microsoft implementations of DNS.

    For more information, please visit the following websites:

  • Invalid characters

    DNS host names cannot contain the following characters:

    • Comma (,)

    • tilde (~)

    • Colon (:)

    • Exclamation mark (!)

    • at sign (@)

    • Pound sign (#)

    • Dollar sign ($)

    • Percent (%)

    • caret (^)

    • ampersand (&)

    • apostrophe (')

    • Period (.)

    • Brackets (())

    • curly braces ( {} )

    • Underscore (_)

    • Space (empty)

      The underscore has a special role. It is permitted for the first character in SRV data records according to the RFC definition. However, newer DNS servers can also allow this anywhere in a name. For more information, see Complying with Name Restrictions for Hosts and Domains.

      Further rules are:

    • All characters retain their formatting except for American Standard Code for Information Interchange (ASCII) characters.

    • The first character must be alphabetical or numeric.

    • The last character cannot be a minus sign or a period.

    • Two SDDL user drawing strings that are on the known SIDs list cannot be used. Otherwise can import,Export- and Take control operations fail.

      In Windows 2000 and later Windows, computers that are members of an Active Directory domain cannot have names that are made up entirely of numbers. This limitation is due to DNS restrictions.

      Note

      The REGISTRATION of DNS host names replaces a hyphen (-) with invalid characters.

  • Minimum name length: 2 characters

  • Maximum name length: 63 characters

    The maximum length of the host name and the fully qualified domain name (FQDN) is 63 bytes per designation and 255 bytes per FQDN.

    Note

    Windows does not allow computer names longer than 15 characters, and you cannot specify a DNS host name that is different from the NETBIOS host name. However, you can host headers for a website that is hosted on a computer, and that is subject to this recommendation.

    In Windows 2000 and Windows Server 2003, the maximum host name and FQDN use the standard length restrictions mentioned earlier, with support for UTF-8 (Unicode). Because some UTF-8 characters are over an octet in length, you cannot determine the size by counting the characters.

    Domain controllers must have an FQDN of less than 155 bytes.

  • Reserved names according to RFC 952

    • -GATEWAY

    • -GW

    • -TAC

      See rfc952 for more information.

  • Reserved names in Windows

    See table of reserved words.

  • Best practices

    When creating names for the DNS computers in a new Windows Server 2003 DNS infrastructure, use the following guidelines:

    • Choose computer names that are easy for users to remember.
    • Identify the owner of the computer by the computer name.
    • Choose a name that describes the purpose of the computer.
    • For ASCII characters, do not use a character trap to indicate the owner or purpose of a computer. In the case of ASCII characters, DNS is not case-sensitive, Windows and Windows applications do not keep the case-insensitive in all places.
    • Match the Active Directory domain name to the primary DNS suffix of the computer name. See the Disjointed Namespaces section below for more information.
    • Use a unique name for each computer in your organization. Avoid using the same computer name for computers in different DNS domains.
    • Use ASCII characters. This ensures interoperability with computers running versions of Windows earlier than Windows 2000.
    • Use only the characters listed in RFC 1123 in DNS computer names. These characters include A-Z, a-z, 0-9, and the hyphen (-). In Windows Server 2003, DNS allows most UTF-8 characters in names. Do not use extended ASCII or UTF-8 characters unless all DNS servers in your environment support them.

Domain name

Here you can find details on NetBIOS domain names and DNS domain names.

NetBIOS domain name

  • Allowed characters

    NetBIOS domain names can contain any alphanumeric characters except the extended characters that appear under Not allowed characters are listed. Names can contain a period, but names cannot begin with a period.

  • Invalid characters

    NetBIOS computer names cannot contain the following characters:

    • backslash (\)

    • Slash (/)

    • Colon (:)

    • Asterisk (*)

    • Question mark (?)

    • Quotation marks (")

    • smaller than Sign (<)

    • greater than sign (>)

    • vertical bar (|)

      Names can contain a period (.). However, the name cannot begin with a period. The use of non-DNS names with time periods is allowed in Microsoft Windows NT. Periods should not be used in Active Directory domains. If you are upgrading a domain whose NetBIOS name includes a period of time, change the name by migrating the domain to a new domain structure. Do not use periods in new NetBIOS domain names.

      In Windows 2000 and later Windows, computers that are members of an Active Directory domain cannot have names that are made up entirely of numbers. This limitation is due to DNS restrictions.

  • Minimum name length: 1 character

  • Maximum name length: 15 characters.

    Note

    The 16th character is reserved to identify the functionality installed on the registered network device.

  • Reserved names in Windows

    See table of reserved words.

    An updated domain name can contain a reserved word. However, trust relationships with other domains will fail in this situation.

  • Special characters: period (.).

    A period character separates the name into a NetBIOS realm ID and the computer name. The NetBIOS Realm ID is an optional string of characters that identify NetBIOS logical networks running on the same physical TCP / IP network. For NetBIOS to work between computers, the computers must have the same NetBIOS realm and unique computer name.

    warning

    Using NetBIOS realm in names is a legacy configuration. It should not be used with Active Directory forests. This is not an inherent problem, but there may be applications that will filter the name and take a DNS name if a period is found.

DNS domain name

  • Allowed characters

    DNS names can only contain alphabetic characters (A-Z), numeric characters (0-9), the minus sign (-), and the period (.). Period characters are only allowed when used to separate the components of domain names.

    The Windows 2000 Domain Name System (DNS) and Windows Server 2003 DNS support Unicode characters. Other implementations of DNS do not support Unicode characters. Avoid Unicode characters when submitting queries to the servers that use NON-Microsoft implementations of DNS.

    For more information, please visit the following websites:

  • Invalid characters

    THE DNS domain names cannot contain the following characters:

    • Comma (,)

    • tilde (~)

    • Colon (:)

    • Exclamation mark (!)

    • at sign (@)

    • Pound sign (#)

    • Dollar sign ($)

    • Percent (%)

    • caret (^)

    • ampersand (&)

    • apostrophe (')

    • Period (.)

    • Brackets (())

    • curly braces ( {} )

    • Underscore (_)

    • Space (empty)

      The underscore has a special role. It is permitted for the first character in SRV data records according to the RFC definition. However, newer DNS servers can also allow this anywhere in a name. For more information, see Complying with Name Restrictions for Hosts and Domains.

      When promoting a new domain, a warning appears that an underscore may cause problems with some DNS servers. However, you can still create the domain.

      Further rules are:

    • All characters retain their formatting, with the exception of ASCII characters.

    • The first character must be alphabetical or numeric.

    • The last character cannot be a minus sign or a period.

  • Minimum name length: 2 characters

  • Maximum name length: 255 characters

    The maximum length of the host name and the fully qualified domain name (FQDN) is 63 bytes per designation and 255 characters per FQDN. The latter is based on the maximum path length that is possible with an Active Directory domain name with the paths required in, and must comply with the limitation of 260 characters.

    An example path in includes:

    This can contain user inputs such as the file name of the logon script, so it can be of considerable length.

    The AD-FQDN domain name appears twice in the path because the length of an AD-FQDN domain name is limited to 64 characters.

    In Windows 2000 and Windows Server 2003, the maximum host name and FQDN use the standard length restrictions mentioned earlier, with support for UTF-8 (Unicode). Because some UTF-8 characters are over an octet in length, you cannot determine the size by counting the characters.

  • Single label domain namespaces

    Labeling DNS names are names that do not contain a suffix, e.g. B.,,, or. Host is z. B. a DNS name with a single label. Most Internet registrars do not allow you to register DNS names with a label.

    In general, it is recommended that you register DNS names for internal and external namespaces with an Internet registrar. This includes the DNS names of Active Directory domains, unless those names are subdomains of DNS names registered with your organization name. Is z. B. a subdomain of. Registering your DNS name with an Internet registrar can help prevent name collisions. A name collision can occur when another organization tries to register the same DNS name or when your organization is merged with another organization that is using the same DNS name.

    Problems associated with namespaces with a label include:

    • DNS names with a uniform name cannot be registered using an Internet registration authority.

    • Domains with dns names with a label require additional configuration.

    • The DNS server service cannot be used to search for domain controllers in domains that have single-label dns names.

    • By default, Windows Server 2003-based domain members, Windows XP-based domain members, and Windows 2000-based domain members do not perform dynamic updates on named DNS zones.

      For more information, see Deployment and operation of Active Directory domains that are configured by using single-label DNS names.

  • Reserved names

    See table of reserved words.

    Do not use top-level Internet domain names on the intranet, such as: Federation . If you are using top-level Internet domain names on your intranet, you may encounter solution errors on computers on the intranet that are also connected to the Internet.

Not some namespaces

A namespace mismatch occurs when a computer's primary DNS suffix does not match the DNS domain of which it is a member. For example, a disjoint namespace occurs when a computer with the DNS name is in a domain with the DNS name.

Occurrence of inconsistent namespaces:

  1. A Windows NT 4.0 primary domain controller is upgraded to a Windows 2000 domain controller using the original version of Windows 2000. Several DNS suffixes are defined in the network element in the control panel.

  2. The domain is renamed if the forest is at the Windows Server 2003 forest functional level. And the primary DNS suffix will not be changed to use the new DNS domain name again.

Effects of a non-aggregated namespace:

For example, suppose a domain controller named DC1 is in a Windows NT 4.0 domain whose NetBIOS domain name is contoso. This domain controller will be upgraded to Windows 2000. When this upgrade is performed, the DNS domain will be renamed. In the original version of Windows 2000, the upgrade routine clears the check box that links the domain controller's primary DNS suffix to its DNS domain name. So the primary DNS suffix of the domain controller is the Windows NT 4.0 DNS suffix defined in the Windows NT 4.0 suffix search list. In this example is the DNS name.

The domain controller dynamically registers its service location (SRV) records in the DNS zone that corresponds to its DNS domain name. However, the domain controller registers its host records in the DNS zone that corresponds to its primary DNS suffix.

For more information about an inconsistent namespace, see the following articles:

Other factors

  • Forests connected to the Internet

    An Internet-connected DNS namespace must be a subdomain of a domain at the top or second level of the Internet DNS namespace.

  • Maximum number of domains in a forest

    In Windows 2000, the maximum number of domains in a forest is 800. In Windows versions of Server 2003 and later, the maximum number of domains at forest functional level 2 is 1200. This limitation is a limitation of multi-valued, unrelated attributes in Windows Server 2003.

  • Best practices

    • The DNS names of all nodes that require name resolution include the Internet DNS domain name for the organization. So choose an Internet DNS domain name that is short and easy to remember. Because DNS is hierarchical, the DNS domain names grow as you add subdomains to your organization. Short domain names make computer names easy to remember.

    • If the organization has an Internet presence, use names that are relative to the registered Internet DNS domain name. For example, if you registered the Internet DNS domain name, use a DNS domain name; B. for the intranet domain name.

    • Do not use an existing company or product name as the domain name. Later they can lead to a name collision.

    • Avoid using a generic name like "domain.localhost". Another company that you will merge with in a few years' time may follow the same line of thinking.

    • Do not use an acronym or abbreviation as the domain name. Users may have difficulty figuring out the division that an acronym represents.

    • Avoid using underscores (_) in domain names. Applications may be very rfc-skewed and reject the name and will not install or function in your domain. You can also experience problems with older DNS servers.

    • Do not use a business unit or department name as a domain name. Business units and other departments change, and these domain names can be misleading or out of date.

    • Don't use geographic names that are difficult to spell and remember.

    • Avoid expanding the DNS domain name hierarchy more than five levels from the root domain. You can reduce administrative costs by limiting the scope of the domain name hierarchy.

    • If you are deploying DNS on a private network and you do not want to create an external namespace, register the DNS domain name that you are creating for the internal domain. Otherwise, you may find the name unavailable when you try to use it on the internet or when you connect to a network that is connected to the internet.

Website name

It is recommended that you use a valid DNS name when creating a new website name. Otherwise, your website will only be available using a Microsoft DNS server. For more information on valid DNS names, see the DNS host names section.

  • Allowed characters

    DNS names can only contain alphabetic characters (A-Z), numeric characters (0-9), the minus sign (-), and the period (.). Period characters are only allowed when used to separate the components of domain names.

    The Windows 2000 Domain Name System (DNS) and Windows Server 2003 DNS support Unicode characters. Other implementations of DNS do not support Unicode characters. Avoid Unicode characters when submitting queries to the servers that use NON-Microsoft implementations of DNS.

    For more information, please visit the following websites:

  • Invalid characters

    DNS names cannot contain the following characters:

    • Comma (,)

    • tilde (~)

    • Colon (:)

    • Exclamation mark (!)

    • at sign (@)

    • Pound sign (#)

    • Dollar sign ($)

    • Percent (%)

    • caret (^)

    • ampersand (&)

    • apostrophe (')

    • Period (.)

    • Brackets (())

    • curly braces ( {} )

    • Underscore (_)

    • Space (empty)

      The underscore has a special role. It is permitted for the first character in SRV data records according to the RFC definition. However, newer DNS servers can also allow this anywhere in a name. For more information, see Complying with Name Restrictions for Hosts and Domains.

      Further rules are:

    • All characters retain their formatting, with the exception of ASCII characters.

    • The first character must be alphabetical or numeric.

    • The last character cannot be a minus sign or a period.

  • Minimum name length: 1 character

  • Maximum name length: 63 characters

    The maximum length of the DNS name is 63 bytes per designation.

    In Windows 2000 and Windows Server 2003, the maximum host name and FQDN use the standard length restrictions mentioned earlier, with support for UTF-8 (Unicode). Because some UTF-8 characters are over an octet in length, you cannot determine the size by counting the characters.

Ou names

  • Allowed characters

    All characters are allowed, even extended characters. Although you can use Active Directory Users and Computers to name an organizational unit with extended characters, it is best to use names that describe the purpose of the organizational unit and that are short enough to make it easy to manage. Lightweight Directory Access Protocol (LDAP) has no restrictions because the CN of the object is enclosed in quotation marks.

  • Invalid characters

    No characters are allowed.

  • Minimum name length: 1 character

  • Maximum length of the name: 64 characters

Special problems

If the OU at the root level of the domain has the same name as a future child domain, database problems can occur. Consider a scenario where you have an organizational unit named marketing for example, to create a subdomain with the same name (the leftmost label of the subdomain name of the domain has the same name).

The organizational unit is deleted, and during the organizational unit tombstone lifetime, you create, create, delete, and re-create a child domain with the same name. In this scenario, a duplicate record name in the ESE database results in a phantom-phantom name collision when the child domain is rebuilt. This problem prevents the configuration container from replicating.

Note

A similar naming conflict can also occur with other RDN name types under certain conditions that are not limited to DC and OU name types.

Table of reserved words

Reserved words for namesWindows NT 4.0Windows 2000Windows Server 2003 and higher
ANONYMOUSXXX
AUTHENTICATED USERXX
BATCHXXX
BUILTINXXX
CREATOR GROUPXXX
CREATOR GROUP SERVERXXX
CREATOR-OWNERXXX
CREATOR OWNER SERVERXXX
DIALUPXXX
DIGEST AUTHENTICATIONX
INTERACTIVEXXX
INTERNETXX
LOCALXXX
LOCAL SYSTEMX
NETWORKXXX
NETWORK SERVICEX
NT AUTHORITYXXX
NT DOMAINXXX
NTLM AUTHX
ZEROXXX
PROXYXX
REMOTE INTERACTIVEX
RESTRICTEDXX
SCHANNEL AUTHX
SELFXX
SERVERXX
SERVICEXXX
SYSTEMXXX
TERMINAL SERVERXX
THIS ORGANIZATIONX
USERX
WORLDXXX

Is this page helpful?