UPN Suffixes

  • Thread starter Thread starter Greg
  • Start date Start date
G

Greg

While exploring the client's AD design I discovered the
following:

Empty forest root = corp.root
domain = afh.net
domain = mhh.net

using the root as placeholder (allows transitive trusts
etc) each of the domains has their own DNS etc

the thing is in mhh.net when a user is created and the
properties of that user are checked the UPN suffix is (and
only is) mhh.net

BUT

when browsing thru (to add users to a group) I noticed
that afh.net users had the upn of corp.root (while their
account is located in the folder afh/users) so I connected
to the afh.net domain and right clicked and properties and
low and behold there was BOTH corp.root and afh.net (I
could select which I wanted).

Now someone said that you could add the suffix you wanted
(I agree if it's at the forest root but in this case it's
not there, checked and double checked). so HOW did those
users get 2 UPN suffixes (technet = no help)?

Gimme anything, this doesn't seem right. I'd like some
kind of documentation to show that afh admins are doing
something incorrectly or that it is the way it's supposed
to be done and we need to comply.

Thanks,

Greg
 
User can have only one UPN sufix. You can change it, but it is still just
one. This information is written in GC and UPN's must be unique in the
forest. You create new UPN sufixes in AD Domain and Trusts mmc, by clicking
the root property. When you add child domains to your root domains, then
child domain can create users with Root domain UPN suffix or child domain
UPN suffix. By default the root domain sufix is present when creating new
user account in a child domain.

--
Regards

Matjaz Ladava, MCSE (NT4 & 2000), MVP
(e-mail address removed)
http://ladava.com
 
What I didn't see in your post is that you have three separate trees (I had
child domain in my head when writing answer :-), don't ask why, I just have
no excuse ).

You are right Admins from ahf.net and mhf.net can only create upn suffixes
for their domains and not for root forest domain. So If I understand you
right ahf.net administrators can create users with root domain suffixes ? If
you logon like Administrator in ahf.net domain and use AD Users and
computers, then can you select forest root UPN for user ?

--
Regards

Matjaz Ladava, MCSE (NT4 & 2000), MVP
(e-mail address removed)
http://ladava.com
 
No problem my phrasing wasn't so hot either.

I'll give that a try and let you know. I do know that we (mhh.net) cannot
select the upn during user creation.

I'll keep the group posted

Greg
 
Back
Top