Directory Services

Choosing a Syntax

There are 23 syntaxes defined in Active Directory. See Syntaxes for Active Directory Attributes.

The following table provides a short list of recommendations.

Data to store in attribute Syntax to use Comment
Binary data OctetString Use OctetString to store binary data.

An OctetString is an array of bytes.

Binary data with a DN reference DNWithOctetString OctetString containing a binary value and a distinguished name (DN). Active Directory keeps the DN up-to-date.
Boolean Boolean Use for boolean values.
DN Reference DN Use to store distinguished names that you want kept up-to-date by Active Directory. When an attribute of DN syntax is created with a valid DN, Active Directory treats the attribute as a reference to the object represented by the DN that was set. If the referenced object is renamed or moved, Active Directory ensures that the attribute reflects the change. If the attribute is reset with a new DN, the attribute is reference to the object represented by the new DN.
Integer Integer Use for integers.
Large Integer (64-bit values) INTEGER8 Use for 64-bit values.
Linked DN DN This string syntax can be used for linked DNs. Back links must be of syntax DN. Forward links can be of syntax DN (as well as DNWithString, DNWithBinary, AccessPointDN, or ORName. Linked attributes must have a linkID defined. See the description of linkID in attributeSchema properties.
Security Descriptor ObjectSecurityDescriptor Octet string containing a security descriptor.
Security Identifier (SID) Sid Octet string containing a security identifier (SID). Use this syntax to store SID values only.
String DirectoryString Use for most string attributes. It supports the Unicode character set. When Active Directory performs comparisons against attributes of this syntax (such as evaluating a query), it performs case-insensitive comparisons.

Use the other string syntaxes (IA5String, NumericString, and so on) to store strings that should contain only the specific character sets supported by the syntax.

String data with a DN reference DNWithString OctetString containing a string value and a distinguished name (DN). Active Directory keeps the DN up-to-date.
Time GeneralizedTime Use the GeneralizedTime syntax to store time values rather than the UTCTime syntax because GeneralizedTime uses four characters for the year and UTCTime uses only two.