locked
Alternate UPN RRS feed

  • Question

  • Hi, I'm trying to setup alternate upn suffixes so that our users can login using user@domain.com instread of domain\user.  We have one forest and one domain (DC Windows 2003 SP2).

    I went ahead and added the alternate UPNs in Active Directory Domains & Trust, but they do not show up in the dropdown (account tab) in ADUC.  I think it has something to do with our old Exchange 2003 policies but not sure.  We are on Exchange 2010 now (decomissioned Ex 2003), but I still see the old policies via ADSIedit.

    More info.....  I noticed the behavior is dependent on which OU I create a user.  For example we have two companys (company1 and company2) each with their own OU.  If I create this user in OU "Company1" it restricts what I can choose as a suffix: domain.corp and old-domain.com (I want to be able to see new-domain.com - which I have added to alternate UPN suffix in AD domains and trusts).  Company 2 behaves in a similar fashion.  If I create the user in OU outside of these company OU's I can see all of the domains I created as alternate UPNs.

    So seems like there are policies somewhere, just can't figure out where.

    Help!

    -Manny

    Wednesday, April 6, 2011 6:57 PM

Answers

  • Actually, OU objects in AD have a uPNSuffixes attribute, which probably explains your experience. See this link:

    http://msdn.microsoft.com/en-us/library/aa442679.aspx

    This article explains the relation between the suffixes defined for the domain (in the cn=Partitions container of the cn=Configuration container), and uPNSuffixes on the OU:

    http://support.microsoft.com/kb/269441

    You can see all of this in ADSI Edit. If you view the cn=Partitions container in the default cn=Configuration container, the canonicalName attribute probably defines your default domain.com. My guess is that the uPNSuffixes attribute of this container has no values. Simplest solution for you would be to edit the uPNSuffixes attribute of the two OU objects in AD. This is a multi-valued attribute so you can add the value you want to each.

     


    Richard Mueller - MVP Directory Services
    • Marked as answer by Manny15 Friday, April 8, 2011 1:29 AM
    Friday, April 8, 2011 12:48 AM

All replies

  • As far as i know, adding UPN suffix will not be visible in drop down menu. Its used to create account with different suffix than actual domain name.Consider, you got multiple client account exists in a same domain & you can provide each client with different UPN suffix to login to domain.

    Conclusion adding/changing UPN suffix doesn't appear in drop down menu.

    http://support.microsoft.com/kb/243629

    http://blogs.dirteam.com/blogs/tomek/archive/2009/08/24/using-multiple-upn-suffixes-for-users-in-single-directory.aspx

     

    Regards  


    Awinish Vishwakarma| MY Blog  

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    • Proposed as answer by cclebie Tuesday, January 30, 2018 9:51 PM
    Thursday, April 7, 2011 4:40 AM
  • Hello,

    if you add UPN suffixes they should apply also in AD UC user account properties, account tab, user logon name @domain or @newsuffix. I have no problem to view them in AD UC on my lab system. Also with Exchange 2003 it works as expected.

    Also Exchange is able to view them: http://blogs.technet.com/b/evand/archive/2007/03/15/alternative-upn-suffixes-and-new-mailbox-gui.aspx


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Thursday, April 7, 2011 8:05 AM
  • You should be able to select the correct UPN from the dropdown menu.  Are you connecting the same DC when creating new user account for Company1 and Company2?  Just wanted to make sure it is not the DC replication issue or something related to that.

    >>but I still see the old policies via ADSIedit

     What policies are you talking about? Email policy?  It doesn’t affect the UPN. 

     


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX

    Blogs - http://blogs.sivarajan.com/
    Articles - http://www.sivarajan.com/publications.html
    Twitter: @santhosh_sivara - http://twitter.com/santhosh_sivara

    This posting is provided AS IS with no warranties, and confers no rights.
    Thursday, April 7, 2011 12:18 PM
  • It should be pointed out that the discussion so far has addressed alternate UPN suffixes, because of your subject. However, if the NetBIOS name of your domain is "domain", and the DNS name of your domain is "domain.com", then you may not need an alternate UPN suffix. If the sAMAccountName of the user is "jsmith" (the "pre-Windows 2000 logon" name of the user), they can already logon using either domain\jsmith or jsmith@domain.com. This is true even if there is no value assigned to the userPrincipalName attribute (the field labeled "User logon name" on the "Account" tab of ADUC).

     


    Richard Mueller - MVP Directory Services
    Thursday, April 7, 2011 4:00 PM
  • Thanks for all the resonses guys.  I know this kind of a unique situation so, let me try to explain better.  I'll give an example.

    1) Two OUs have been created for Company1 and Company2 that contain all of the user accounts for each company.  All in the same forest and domain (domain.corp).

    2) In ADUC I can see the following for Company1:

          a) Existing users in Company1 OU can only see the domain old-name-company1.com in the account tab (in AD user properties).
          b) When creating a new users in Company1 OU, I can only choose domain.corp or old-name-company1.com.
          Note: I cannot see the new alternate UPN: new-name-company1.com

    3) For Company2, I see the exact same behaviour. Except for existing users it can only see old-name-company2.com; and for new users I can only choose from domain.corp and old-name-company2.com.  Again I do not see my other new alternate UPN: new-name-company2.com

    The only reason I think it has to do with Exchange is because our old Exchange 2003 policies were created to give a user a default SMTP address based on which OU the user account was located.  So for example, if a new user was created in company1 OU, it would have the following email address: user@old-name-company1.com.

    The only reason I'm adding alternate UPN is to allow users to login to windnows as user@new-name-company1.com or user@new-name-company2.com.  Thats the end result I want to achieve.  I might be going down the wrong path in figuring this out, but not sure where else to look.

    Thanks for your help!

    -Manny

    • Marked as answer by Manny15 Friday, April 8, 2011 1:28 AM
    • Unmarked as answer by Manny15 Friday, April 8, 2011 1:29 AM
    Friday, April 8, 2011 12:31 AM
  • Actually, OU objects in AD have a uPNSuffixes attribute, which probably explains your experience. See this link:

    http://msdn.microsoft.com/en-us/library/aa442679.aspx

    This article explains the relation between the suffixes defined for the domain (in the cn=Partitions container of the cn=Configuration container), and uPNSuffixes on the OU:

    http://support.microsoft.com/kb/269441

    You can see all of this in ADSI Edit. If you view the cn=Partitions container in the default cn=Configuration container, the canonicalName attribute probably defines your default domain.com. My guess is that the uPNSuffixes attribute of this container has no values. Simplest solution for you would be to edit the uPNSuffixes attribute of the two OU objects in AD. This is a multi-valued attribute so you can add the value you want to each.

     


    Richard Mueller - MVP Directory Services
    • Marked as answer by Manny15 Friday, April 8, 2011 1:29 AM
    Friday, April 8, 2011 12:48 AM
  • Hi Richard,

    I think we're on the right track now!  I can see that the OUs do have the uPNSuffixes attribute configured.  If I clear the uPNSuffixes will I be able to see all the alternate UPNs?

    Thanks

    Manny

    Friday, April 8, 2011 1:08 AM
  • I haven't played with this, but the way I read it, if you want different UPN suffixes allowed for users in each OU, you should assign the desired values to the uPNSuffixes attribute of the OU. If you want all users to have the same suffixes allowed, then assign the values to the cn=Partitions,cn=Configuration container. You should always be able to select the default value for all users, as specified by the canonicalName attribute of the cn=Partitions container, so don't add that.

     


    Richard Mueller - MVP Directory Services
    Friday, April 8, 2011 1:24 AM
  • The answer is Yes.  I just cleared out the uPNSuffix one OU and allowed me to select the new suffix in ADUC.  I tested logging in to a PC and it worked.  Thanks for your help!

    Manny

    • Proposed as answer by CoachBill1 Saturday, February 9, 2013 8:10 AM
    Friday, April 8, 2011 1:28 AM
  • Thanks Manny, I wasted hours attempting to troubleshoot this until I read your response.
    Saturday, February 9, 2013 8:14 AM