How to Add UPN Suffixes in Active Directory

In this Ask an Admin, I’ll explain how to add UPN suffixes to Active Directory and how UPN suffixes form part of Active Directory (AD) logon names. For example, if your logon name is [email protected], the part of the name to the right of the ampersand is known as the UPN suffix (so, in this case ad.contoso.com).

Editor’s Note: If you need a quick primer on what UPN is from a Microsoft perspective, an article about UPN on the Windows Developer Network elaborates:

“This attribute contains the UPN that is an Internet-style login name for a user based on the Internet standard RFC 822. The UPN is shorter than the distinguished name and easier to remember. By convention, this should map to the user email name. The value set for this attribute is equal to the length of the user’s ID and the domain name.”

When you configure a new user account in AD, you are given the option to select a UPN suffix, which by default will be the DNS name for your AD domain. There are situations where it can be useful to have a selection of UPN suffixes available. If your AD domain name is ad.contoso.com, it might be more convenient to assign users a UPN suffix of contoso.com. To make additional UPN suffixes available, you need to add them to AD.

Adding a UPN Suffix to Active Directory

The following instructions apply to Windows Server 2012 and later editions.

• Log in to Windows Server with a domain administrator account.
• Open Server Manager using the icon on the desktop taskbar, or from the Start screen.
• Select Active Directory Domains and Trusts from the Tools menu.
• In the Active Directory Domains and Trusts management console, right-click Active Directory Domains and Trusts in the left pane and select Properties from the menu.
• In the dialog box on the UPN Suffixes tab, type the name of the suffix that you would like to add to your AD forest in the Alternate UPN suffixes box. Click Add and then OK.
• Close the Active Directory Domains and Trusts console.

Now when you add a new user account to Active Directory, you should see the new UPN suffix available in the list when setting the username.

If you still have questions about the care and feeding of UPN, Microsoft Technet has an extensive article on naming conventions in Active Directory. If you have other issues with UPN in your IT environment, I’d suggest that you take a look at the Petri forums, which include discussion of such UPN topics as having multiple UPNs in your AD forest, or creating a custom UPN suffix for an OU. My Petri IT Knowledgebase colleague John O’Neill, Sr., also touches on UPN configuration in his article about integrating active directory with Office 365

FAQs

How do I add UPN suffixes to Active Directory using PowerShell commands?

To add UPN suffix to Active Directory using PowerShell, use the command “Set-ADForest -Identity YourForestName -UPNSuffixes @{add=’newupn.com’}”. This method is particularly useful for bulk operations and automation in Active Directory environments.

Can I add UPN suffixes to Active Directory without a domain controller restart?

Yes, when you add UPN suffix to Active Directory, no restart is required. The changes take effect immediately across the domain, and users can start using the new UPN suffix right away.

What are the security implications when I add UPN suffixes to Active Directory?

When you add UPN suffix to Active Directory, ensure it aligns with your organization’s security policies. Additional UPN suffixes can impact federation services, single sign-on configurations, and authentication mechanisms.

Is it possible to add UPN suffix to Active Directory for specific organizational units only?

While you can add UPN suffixes to Active Directory at the forest level, restricting UPN suffixes to specific OUs requires additional configuration through Group Policy or custom scripts to manage user attributes.

How do I verify that a new UPN suffix was added successfully in Active Directory??

After adding a UPN suffix, you can verify it in PowerShell by running:

Get-ADForest | Select-Object -ExpandProperty UPNSuffixes

You should also confirm it appears in the User Logon Name dropdown when creating a new user in Active Directory Users and Computers (ADUC).