question

SenseiVITA avatar image
0 Votes"
SenseiVITA asked SenseiVITA commented

DNS rules for alternative UPN suffixes

Our email, served by local Exchange 2019, has its own domain name (e.g; email.tld). The server itself is a member of the directory domain (e.g; mx.activedirectory.tld) as any other Exchange Server but it's set to respond at the naked email.tld both in and out of the intranet for IMAP, webmail, SMTP, ActiveSync and Exchange's own protocol plus virtual directories, not on the server's actual subdomain/hostname. It's got its own domain so we just went to town with it.

But now we're are adding email.tld as a alternative UPN suffix to the main activedirectory.tld to make it easier for users but, as we know, the naked or main domains are reserved for domain controllers and even if we'd make them host anything, Exchange cannot be installed in Domain Controllers.

Researching I learned that alternative UPN suffixes don't actually have to exist, moreorless like the .local domain names, but .local domain names do actually exist when they're main directory domains, only not publicly. I didn't find anything more specific, I skimmed the documentation back to Windows Server 2008 but even skimming it took forever to get there. The newer information regarding UPN suffixes is specific to Azure-joined domains. My question is, do the rules for main directory domains apply too for alternative UPN suffixes?

Thanks for your help!

windows-active-directorywindows-dhcp-dns
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

HannahXiong-MSFT avatar image
0 Votes"
HannahXiong-MSFT answered SenseiVITA commented

Hello,

Thank you so much for posting here.

If the domain user (aa@book.com) would like to log on with the email address (aa@hotmail.com), alternative UPN suffixes could solve the problem. The solution is as shown below.

1, Open the AD Domains and Trusts, click the AD Domains and Trusts and choose "Properties". Add the alternative UPN suffixes, for example, hotmail.com.

24033-11.png

2, Then configure the User logon name as shown below.

23954-12.png

3, The user could log on with aa@hotmail.com. After successfully logging in, use the whoami command to verify the currently logged-in user, the user name displayed is still BOOK\aa.

23926-13.png

23966-14.png

23927-15.png


"You can use Active Directory Domains and Trusts to add user principal name (UPN) suffixes for the existing user account. The default UPN suffix for a user account is the Domain Name System (DNS) domain name of the domain that contains the user account. You can add alternative UPN suffixes to simplify administration and user logon processes by providing a single UPN suffix for all users. The UPN suffix is used only within the Active Directory forest, and it is not required to be a valid DNS domain name."

UPN suffix will give user the ability to use a friendly user-logon name that does not match the domain's or parent domains' naming structure, but the original domain name authentication won’t be affected.

For more information, we could refer to:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc772007(v=ws.11)?redirectedfrom=MSDN

For any question, please feel free to contact us.

Best regards,
Hannah Xiong



11.png (24.6 KiB)
12.png (25.9 KiB)
13.png (102.3 KiB)
14.png (96.8 KiB)
15.png (3.0 KiB)
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello,

I am checking how the issue is going, if you still have any questions, please feel free to contact us.

Thank you so much for your time and support.

Best regards,
Hannah Xiong

0 Votes 0 ·

Hello,

Does this question have any update or has this issue been solved? Also, for the question, is there any other assistance we could provide?

Besides, there is email notifications function on this forum. It is suggested that we could set it up so that we could receive prompts for responses in time.
https://docs.microsoft.com/en-us/answers/articles/67444/email-notifications.html

Thank you so much for your time and support.

Best regards,
Hannah Xiong


0 Votes 0 ·

Thanks, that's what I thought but the public domain name (hotmail.com) made it crystal clear for once.

I want to keep using Exchange at the naked domain level and finally I will without worries.

This will also allow us to use the actual email address for ADFS, it's caused a lot of confusion but it's finally going to be over! :D

0 Votes 0 ·