Learn AD in 15 Minutes a Week: Lightweight Directory Access Protocol Page 3

Active Directory is not an X.500 directory in and of itself, but it does follow the X.500 information model. It uses LDAP as the access protocol on TCP port 389 by default. The LDAP naming structure follows the X.500 naming design and looks similar to this:


[NOTES FROM THE FIELD] - Encrypted LDAP requires secure authentication and transport and uses TCP PORT 636 by default.

An LDAP URL names the server holding Active Directory services and the distinguished name of the object, which looks similar to this:


[NOTES FROM THE FIELD] - The relative distinguished name (RDN) of an object is the part of the name that is an attribute of the object itself. While the distinguished name of a printer object might be /DC=COM/DC=gunderville/OU=sales/OU=printers/CN=HP5SI, the relative distinguished name of the printer object is HP5SI. The only "problem" is the distinguished name of this printer object /DC=COM/DC=gunderville/OU=accounting/OU=printers/CN=HP5SI is also HP5SI, yet they are two separate objects and are allowed because they are in different locations in the Active Directory hierarchy. You can have duplicate relative distinguished names for Active Directory objects, but you cannot have two objects with the same relative distinguished name in the same Organizational Unit.

Active Directory integrates the Internet concept of a name space with the Windows 2000 directory services by using DNS for its name system and can exchange information with any application or directory that uses LDAP version 2 and version 3 or Hypertext Transfer Protocol (HTTP).

LDAP utilizes the Active Directory database servers to provide access to a Directory Information Tree (DIT) which is composed of data objects.

The class of all the objects in the DIT are identified by its Globally Unique Identifier (GUID).

[NOTES FROM THE FIELD] - The American National Standards Institute (ANSI) is in charge of assigning the "upper portions" of GUIDs to requesting organizations. For example, Microsoft Corporation has been assigned the 1.2.840.113556 branch and can assign GUIDs from 1.2.840.113556 downward by adding additional decimal place identifiers.

There are a few different naming formats that are supported in Active Directory, and I have outlined them in the table below.

Format Description
RFC 822 RFC 822 is also called a User Principal Name and looks like any standard internet email address: Jason@Zandri.net
HTTP Uniform Resource Locator (URL) http://www.gunderville.com   http://www.zandri.net http://www.2000trainers.com http://www.swynk.com/friends/zandri/  http://www.swynk.com
Universal Naming Convention (UNC) Any path you might type in an explorer window or at a command line to get to a given location on a system: D:\DATA\Saved\Online\70-219\70-219-6
LDAP URL Following the RFC 1779 paper, Active Directory uses the LDAP URL naming convention of


LDAP names, used to identify Directory Information Tree objects, are based on the X.500 naming convention using the object class along with the actual name of the object.

The following table outlines the most common LDAP object classes.

Common LDAP object classes.

 Object Class





 Domain Component




 Organizational Unit


 Common Name

[NOTES FROM THE FIELD] - On the exams, don't confuse DC=Domain Component with Domain Controller. More so, do not confuse CN=Common Name with Container Name. I have never had a large amount of Novell exposure, but I've been told that many Novell Engineers are used to referring to CN as Container Name, and while not actually untrue, (they effectively mean the same thing) this will be INCORRECT on the Microsoft exam.

This article was originally published on Jun 6, 2002
Page 3 of 4

Thanks for your registration, follow us on our social networks to keep up-to-date