DNS rules for alternative UPN suffixes

Vita 76 Reputation points
2020-09-10T07:17:20.37+00:00

Our email, served by local Exchange 2019, has its own domain name (e.g; email.tld). The server itself is a member of the directory domain (e.g; mx.activedirectory.tld) as any other Exchange Server but it's set to respond at the naked email.tld both in and out of the intranet for IMAP, webmail, SMTP, ActiveSync and Exchange's own protocol plus virtual directories, not on the server's actual subdomain/hostname. It's got its own domain so we just went to town with it.

But now we're are adding email.tld as a alternative UPN suffix to the main activedirectory.tld to make it easier for users but, as we know, the naked or main domains are reserved for domain controllers and even if we'd make them host anything, Exchange cannot be installed in Domain Controllers.

Researching I learned that alternative UPN suffixes don't actually have to exist, moreorless like the .local domain names, but .local domain names do actually exist when they're main directory domains, only not publicly. I didn't find anything more specific, I skimmed the documentation back to Windows Server 2008 but even skimming it took forever to get there. The newer information regarding UPN suffixes is specific to Azure-joined domains. My question is, do the rules for main directory domains apply too for alternative UPN suffixes?

Thanks for your help!

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Client for IT Pros | Networking | Network connectivity and file sharing
0 comments No comments
{count} votes

Accepted answer
  1. Anonymous
    2020-09-11T03:28:45.84+00:00

    Hello,

    Thank you so much for posting here.

    If the domain user (aa@afg .com) would like to log on with the email address (aa@Karima ben .com), alternative UPN suffixes could solve the problem. The solution is as shown below.

    1, Open the AD Domains and Trusts, click the AD Domains and Trusts and choose "Properties". Add the alternative UPN suffixes, for example, hotmail.com.

    24033-11.png

    2, Then configure the User logon name as shown below.

    23954-12.png

    3, The user could log on with aa@Karima ben .com. After successfully logging in, use the whoami command to verify the currently logged-in user, the user name displayed is still BOOK\aa.

    23926-13.png

    23966-14.png

    23927-15.png

    "You can use Active Directory Domains and Trusts to add user principal name (UPN) suffixes for the existing user account. The default UPN suffix for a user account is the Domain Name System (DNS) domain name of the domain that contains the user account. You can add alternative UPN suffixes to simplify administration and user logon processes by providing a single UPN suffix for all users. The UPN suffix is used only within the Active Directory forest, and it is not required to be a valid DNS domain name."

    UPN suffix will give user the ability to use a friendly user-logon name that does not match the domain's or parent domains' naming structure, but the original domain name authentication won’t be affected.

    For more information, we could refer to:
    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc772007(v=ws.11)?redirectedfrom=MSDN

    For any question, please feel free to contact us.

    Best regards,
    Hannah Xiong


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.