Share via

UPN Suffix issue in a forest

Dharmil Sanghvi 1 Reputation point
2022-07-07T06:17:11.47+00:00

Hello,

We have a forest/domain named: apple.com. We have added another domain as a Tree of that forest: orange.com

When we try to create a user in the orange.com domain, it allows us to create a user with apple.com suffix. This creates unnecessary problems.

So, for example, if we Already have a user: tim<at>apple.com in apple.com domain and if we create another user tim<at>apple.com in orange.com domain, this creates an issue with UPN being redundant at both the places.

Is there anyway to avoid this? Like it should throw an error or something?

The thing that we are trying to accomplish here is: a user in either domain should easily be able to access resources anywhere, given the correct access.

Also - is there a way through which we can create an admin in the Tree domain, who has access to manage resources only in Tree domain (orange.com) and not the root domain? I assigned them to domain admin in the tree domain, but they can still view/edit/modify users in root domain.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,625 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,236 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. rr-4098 1,321 Reputation points
    2022-07-09T14:57:09.867+00:00

    I believe that adding multiple domain suffixes to AD is a forest wide selection and cannot be isolated to one domain. (I am still looking for a document to confirm this.) Also from Windows 2012 R2 on, AD blocks the creation of accounts with the same UPN https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/spn-and-upn-uniqueness

    0 comments
  2. Limitless Technology 39,511 Reputation points
    2022-07-11T14:10:31.26+00:00

    Hi there,

    You can try the Multiple-domain Configuration for avoiding this situation .The DNS server will respond to the query in a round robin fashion if the DC has multiple NICs registered in DNS. The DNS will serve the client with all the records available for that DC.

    Steps to avoid registering unwanted NICs in DNS on a multihomed domain controller

    https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/unwanted-nic-registered-dns-mulithomed-dc

    How to restrict use of a computer to one domain user only

    https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/restrict-use-one-domain-user-only

    I hope this information helps. If you have any questions please let me know and I will be glad to help you out.

    --------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept it as an answer--