Same UPN Suffix on Separate Forests

Cory Diener 21 Reputation points


We have a bit of an issue. We are an internal MSP for a company that owns multiple companies. All 7 of these companies have their own forests/domains. Since we are migrating all of them to Office 365, we decided now would be the best time to collapse everything into one forest.

We have marked one of the domains as being the forest to be collapsed upon so we are adding the other 6's UPN suffixes to that one forest. We have created a 2-way Trans Trust between the collapsed domain and all of the other (hub and spoke, so to speak). We are then recreating the users on this domain and marking their suffixes as necessary, also granting and denying rights as necessary. This has been working great (surprisingly) since most of the domains were setup with non-routable domains (.local), however, we have one domain that is routable and the UPN suffix is not going away.

What will be the affect if we put the UPN suffix on the collapsed domain with the 2-way trust? I feel like it has the potential to cause issues, but at the same time, I'm not sure that it will. Just wanted to know if anyone else has had this scenario.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,458 questions
{count} votes

Accepted answer
  1. Daniel Aldén 156 Reputation points


    You can use same domain suffix in 2 different forest with 2-way trust but only add the UPN suffix to one of the domains in "Active Directory Domains and Trusts". In the forest you don´t have the UPN suffix. Just add the suffix by PowerShell to the users. (Set-ADUser name –userPrincipalName name@keyman .com)
    If you add the UPN suffix in both forest you got error in the 2-way trust.

    Notes that you need to verify conflicts before you sync your user from 2 forests to 365.

0 additional answers

Sort by: Most helpful