Oct 162018

In this post, I’ll be going over how to add additional and/or alternative UPN suffixes to your Active Directory. I’ll also be going over why you may require this inside of your environment.

This is also a follow up post to the article here: https://www.stephenwagner.com/2016/09/23/outlook-2016-exchange-2013-password-prompts-upn-and-samaccountname-troubles/ as Microsoft has deleted the KB 243629 article which contained the original instructions.


There is a number of reasons why you may want to do this:

  1. You’re migrating to a newer version of Microsoft Outlook 2016, and require the users UPN to match the users e-mail address for auto-configure to function.
  2. Your internal domain is is a “domain.local” domain, however you want users to log in with a “domain.com” domain.
  3. You are implementing a line of business application or other piece of software that requires user’s UPNs to match their e-mail addresses.
  4. You’re performing a migration.


Let’s get to it! Here’s how to add an alternative UPN suffix to an Active Directory domain:

  1. Log on to your domain controller.
  2. Open “Active Directory Domains and Trusts”
  3. On the left hand side of the new window, right click on “Active Directory Domains and Trusts”, and select “Properties” (as shown below).
    Active Directory Domains and Trusts Window

    Active Directory Domains and Trusts Window


  4. Type in your new domain suffix in to the “Alternative UPN suffixes” box, and then click “Add”. As shown below.
    Add Alternative UPN suffix

    Add Alternative UPN suffix


  5. Click “Apply” and then close out of the windows.

The new UPN suffix should be available via “Active Directory Users and Computers” and you should be able to set it to users.

You can also configure the user accounts via the Exchange Administration Center (EAC). See below for an example:

Exchange Administration Center UPN Suffix

Exchange Administration Center UPN Suffix


  5 Responses to “How to add an alternative UPN suffix to an Active Directory domain”

  1. […] First we have to add the UPN suffix (which is the actual e-mail address domain name) to the Active Directory Domain and Trusts. Instructions are available here: https://support.microsoft.com/en-us/kb/243629 (please note Microsoft has since deleted the original knowledge base article) https://www.stephenwagner.com/2018/10/16/how-to-add-an-alternative-upn-suffix-to-an-active-directory…. […]

  2. Hi Stephen,

    Thanks a lot for so prompt update!
    The guide itself is great but appears that there are few more steps to do because when provided login username@mycompany.com – certificate error began to appear “The name on security cerificate is invalid..” It was still trying to connect to mydomain.local
    The solution was to change Server -> Outlook Anywhere settings from mydomain.local to mycompany.com
    But now pop-up for my delegated mailboxes started to came out – I can see name of the delegated mailbox on the password pop-up. It is not asking about password for the main account anymore.
    Authetication is set to NTLM, SSL offloading unticked, and my FQDN domain set internally and externally as stated before.
    Do you have any idea what can it be?

    Many thanks,

  3. Hi Daniel,

    It sounds like you might have a few issues going on (in addition to what’s discussed in the two blog posts).

    First, let’s get in to the UPN change. I’m assuming you’ve done it for one user, you should do this for all users to prep for the migration to Outlook 2016. If you mailbox has access to others, you should have the UPN changed on those as well. Additionally, you may have to remove and re-add them to Outlook.

    As for your comment regarding the hostname for Outlook Anywhere. I would highly recommend configuring a single DNS namespace for your Exchange configuration. I would also recommend that you use an external domain name, that is resolving properly both externally and internally.

    You can have split DNS configured, and have different DNS namespaces on the internal and external, but I find this is harder to manage, and can cause more issues (like the one you experienced with Outlook Anywhere).

    I think your next step would be to consider the above (regarding a single DNS namespace), and also verify that all your virtual directory URLs (internal hostname, and external hostname) are correct.

    Even if you’re still using .local for the AD domain, you should try to have Exchange using the external .com domain for everything mail related.

    I hope I explained this clearly (it’s a lot to take in).


  4. Hi Stephen,

    Strange Microsoft removed the KB article.
    I wanted to understand why Microsoft remvoed it and then i found a related Microsoft doc. Same solution with Microsofts new cloud focus in mind: prepare AD for an Azure Ad synchronisation to setup Office 365


  5. Thanks for bringing this to my attention!

    I’ve been noticing in the last 3 or 4 years that Microsoft has been killing tons of KBs and other documents that are essential for IT professionals like us…

    I believe it’s in an effort to force migration to their cloud products, which is really upsetting.

    There’s those of us that see the value of owning equipment, keeping data on-prem and protected, as well as the cost savings of an on-prem IT strategy VS cloud (in most common scenarios for the SMB market).

    It’s truly a shame…

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>