3.1.1.5.2.6 NC Requirements
The following requirements apply to DNs of AD DS NCs (the set of NCs that are parts of the Active Directory forest) other than the config NC and schema NC:
Each RDN label within the DN has the DC= type.
Each RDN label within the DN has a value, which is a valid DNS name label.
The following requirements apply to DNs of all Active Directory NCs:
The full DN of the NC does not match the DN of another existing object in an Active Directory NC.
If the immediate parent of the NC is not an Active Directory NC, then none of the ancestors (grandparent, grand-grandparent, and so on) are an Active Directory NC. In other words, the set of Active Directory NCs is a set of nonintersecting trees, and each tree does not have "holes".
The following requirements apply to the data stored in NC roots:
IT_NC_HEAD bit is set in the instanceType attribute.
If the NC has an immediate parent (which MUST be an NC root per the preceding rules), then IT_NC_ABOVE bit is be set in its instanceType attribute.
If the NC has child NCs, then their DNs are listed in its subRefs attribute.
If any server has a replica of the NC and of an NC C, which is a child of the NC, then the NC root of C is the subordinate reference object of C. If the server does not have a replica of C, then an object o is present in the server and satisfies the following requirements, and o is the subordinate reference object of C.
The IT_NC_HEAD bit is set in the instanceType attribute.
The IT_NC_ABOVE bit is set in the instanceType attribute.
The IT_UNINSTANT bit is set in the instanceType attribute.
Object o has the same distinguishedName and objectGUID as the child NC root object.
Object o is not exposed through the LDAP protocol. For information about the replication of subordinate reference objects, see [MS-DRSR] sections 4.1.1.2.2, 4.1.20.2, 5.6, and 5.32.
The default structure of data in NCs is covered in Naming Contexts in section 6.1.1.1.