Oct 162018
 

In this post, I’ll be going over how to add additional and/or alternative UPN suffixes to your Active Directory. I’ll also be going over why you may require this inside of your environment.

This is also a follow up post to the article here: https://www.stephenwagner.com/2016/09/23/outlook-2016-exchange-2013-password-prompts-upn-and-samaccountname-troubles/ as Microsoft has deleted the KB 243629 article which contained the original instructions.

Why

There is a number of reasons why you may want to do this:

  1. You’re migrating to a newer version of Microsoft Outlook 2016, and require the users UPN to match the users e-mail address for auto-configure to function.
  2. Your internal domain is is a “domain.local” domain, however you want users to log in with a “domain.com” domain.
  3. You are implementing a line of business application or other piece of software that requires user’s UPNs to match their e-mail addresses.
  4. You’re performing a migration.

How

Let’s get to it! Here’s how to add an alternative UPN suffix to an Active Directory domain:

  1. Log on to your domain controller.
  2. Open “Active Directory Domains and Trusts”
  3. On the left hand side of the new window, right click on “Active Directory Domains and Trusts”, and select “Properties” (as shown below).
    Active Directory Domains and Trusts Window

    Active Directory Domains and Trusts Window

     

  4. Type in your new domain suffix in to the “Alternative UPN suffixes” box, and then click “Add”. As shown below.
    Add Alternative UPN suffix

    Add Alternative UPN suffix

     

  5. Click “Apply” and then close out of the windows.

The new UPN suffix should be available via “Active Directory Users and Computers” and you should be able to set it to users.

You can also configure the user accounts via the Exchange Administration Center (EAC). See below for an example:

Exchange Administration Center UPN Suffix

Exchange Administration Center UPN Suffix

 

  15 Responses to “How to add an alternative UPN suffix to an Active Directory domain”

  1. […] First we have to add the UPN suffix (which is the actual e-mail address domain name) to the Active Directory Domain and Trusts. Instructions are available here: https://support.microsoft.com/en-us/kb/243629 (please note Microsoft has since deleted the original knowledge base article) https://www.stephenwagner.com/2018/10/16/how-to-add-an-alternative-upn-suffix-to-an-active-directory…. […]

  2. Hi Stephen,

    Thanks a lot for so prompt update!
    The guide itself is great but appears that there are few more steps to do because when provided login username@mycompany.com – certificate error began to appear “The name on security cerificate is invalid..” It was still trying to connect to mydomain.local
    The solution was to change Server -> Outlook Anywhere settings from mydomain.local to mycompany.com
    But now pop-up for my delegated mailboxes started to came out – I can see name of the delegated mailbox on the password pop-up. It is not asking about password for the main account anymore.
    Authetication is set to NTLM, SSL offloading unticked, and my FQDN domain set internally and externally as stated before.
    Do you have any idea what can it be?

    Many thanks,
    Daniel

  3. Hi Daniel,

    It sounds like you might have a few issues going on (in addition to what’s discussed in the two blog posts).

    First, let’s get in to the UPN change. I’m assuming you’ve done it for one user, you should do this for all users to prep for the migration to Outlook 2016. If you mailbox has access to others, you should have the UPN changed on those as well. Additionally, you may have to remove and re-add them to Outlook.

    As for your comment regarding the hostname for Outlook Anywhere. I would highly recommend configuring a single DNS namespace for your Exchange configuration. I would also recommend that you use an external domain name, that is resolving properly both externally and internally.

    You can have split DNS configured, and have different DNS namespaces on the internal and external, but I find this is harder to manage, and can cause more issues (like the one you experienced with Outlook Anywhere).

    I think your next step would be to consider the above (regarding a single DNS namespace), and also verify that all your virtual directory URLs (internal hostname, and external hostname) are correct.

    Even if you’re still using .local for the AD domain, you should try to have Exchange using the external .com domain for everything mail related.

    I hope I explained this clearly (it’s a lot to take in).

    Cheers,
    Stephen

  4. Hi Stephen,

    Strange Microsoft removed the KB article.
    I wanted to understand why Microsoft remvoed it and then i found a related Microsoft doc. Same solution with Microsofts new cloud focus in mind: prepare AD for an Azure Ad synchronisation to setup Office 365

    https://docs.microsoft.com/en-us/office365/enterprise/prepare-a-non-routable-domain-for-directory-synchronization

  5. Thanks for bringing this to my attention!

    I’ve been noticing in the last 3 or 4 years that Microsoft has been killing tons of KBs and other documents that are essential for IT professionals like us…

    I believe it’s in an effort to force migration to their cloud products, which is really upsetting.

    There’s those of us that see the value of owning equipment, keeping data on-prem and protected, as well as the cost savings of an on-prem IT strategy VS cloud (in most common scenarios for the SMB market).

    It’s truly a shame…

  6. I think it would be great if you addressed a situation if your on-prem domain does not match your azure verified domain.

    Example: My domain is company.local. My public domain (and email domain used in O365 and thus Azure AD) is mycompanyinc.com. Doesn’t seem like this could be addressed by simply creating a suffix.

  7. Hello, I was wondering if just adding the additional UPN suffix has any affect on the current users and computers, I have a situation where we are attempting to access a share on a domain computer using and alternate name with a diffrent domain name from the one in our active directory and we are getting access denied. As this is a production environment I don’t want to cause any issues when adding the alternate UPN.

  8. Hi Douglas,

    Adding the UPN suffix should have no change or effect if you haven’t changed it on user accounts afterwards.

    However, I’m not sure I’m following exactly what you’re trying to do. Do you have two separate domains in a single AD forest, or what’s going on exactly?

    Stephen

  9. No we don’t have two domains, but we want to connect to a share on a server using a different name and domain name or Cname. We are able to connect fine using an alternate server name with the native domain name, example:
    actual server name fileserver01
    Alternate server name fileserver11
    Native domain name domain-name.pri
    Alternate domain name domain.st.gov
    Added the alternate server name in dns, in the forward lookup zone domain.st.gov
    Also added alternate server name in native domain forward lookup zone.
    Able to connect to share on server using fileserver11.domain-name.pri, no credentials pop up, share displays fine.
    When connection using alternate name with alternate domain name fileserver11.domain.st.gov I get a credential pop up and access denied.

  10. So just to confirm, you have two separate non-connected domain names? And you’re trying to use a computer on domain 1, to connect to a file share on domain 2 that it’s not connected to?

    If this is the case, you ABSOLUTELY DO NOT want to add an alternative UPN… This is not supported, and could potentially break things, cause issues with DNS, etc… It’ll also probably cause issues with logins (as the systems might attempt to login to one domain, when they should be using the other).

    If this is the setup you have, you should log in to the share’s on the foreign domain using the proper format. Example: Use format “User@domain.com”, or “DOMAIN\UserName”.

  11. No, the server is joined to the native domain, we are logging on using domain account but we want to use a cname or alternate name with different domain name to connect to a share on that server. The alternate domain doe snot exist in the environment as an active directory domain, we just want to use the alternate domain name in the host name, we own the alternate domain name so we are not going to conflict with another AD, we are just wanting to connect to a share on a domain joined server useing cname or alternate name is all.

  12. I see! Thanks for explaining!

    You’re going to need to incorporate future planning. But, if you technically want simple/quick forget about the alternative UPN suffix as these are used for User Principal Names for user accounts. Just create a new domain on your internal DNS server, and add a host or a cname entry…

    If you do ever light up a new domain (either under the same forest, or a new forest), you’ll need to delete this domain beforehand and undo everything you did.

  13. That is already done, we have the alternate domain name in our DNS as a forward lookup zone and the host name records exist in both native and alternate domain name zones, still get access denied when trying to connect to share using alternate host and domain name.

  14. I just have concerns with creating the DNS entries, as well as adding an additional UPN suffix…

    Technically if the DNS domain exists, or records exist, AD will query the domain for Auth and domain info, technically possibly ignoring the additional UPN because they are conflicting (or vice versa).

    Technically if you want logins and computers in a different domain, I’m assuming the best practice would be to create another domain in the forest.

  15. Thanks, that is very helpful

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)