How to Add UPN Suffixes in Active Directory

In this Ask an Admin, I’ll explain what User Principal Name (UPN) suffixes are and how to add them to your Active Directory infrastructure. UPN suffixes form part of Active Directory (AD) logon names. For example, if your logon name is [email protected], the part of the name to the right of the ampersand is known as the UPN suffix (so, in this case ad.contoso.com).

Editor’s Note: If you need a quick primer on what UPN is from a Microsoft perspective, an article about UPN on the Windows Developer Network elaborates:

“This attribute contains the UPN that is an Internet-style login name for a user based on the Internet standard RFC 822. The UPN is shorter than the distinguished name and easier to remember. By convention, this should map to the user email name. The value set for this attribute is equal to the length of the user’s ID and the domain name.”

When you configure a new user account in AD, you are given the option to select a UPN suffix, which by default will be the DNS name for your AD domain. There are situations where it can be useful to have a selection of UPN suffixes available. If your AD domain name is ad.contoso.com, it might be more convenient to assign users a UPN suffix of contoso.com. To make additional UPN suffixes available, you need to add them to AD.

Adding a UPN Suffix to Active Directory

The following instructions apply to Windows Server 2012 and later editions.

• Log in to Windows Server with a domain administrator account.
• Open Server Manager using the icon on the desktop taskbar, or from the Start screen.
• Select Active Directory Domains and Trusts from the Tools menu.
• In the Active Directory Domains and Trusts management console, right-click Active Directory Domains and Trusts in the left pane and select Properties from the menu.
• In the dialog box on the UPN Suffixes tab, type the name of the suffix that you would like to add to your AD forest in the Alternate UPN suffixes box. Click Add and then OK.
• Close the Active Directory Domains and Trusts console.

Now when you add a new user account to Active Directory, you should see the new UPN suffix available in the list when setting the username.

If you still have questions about the care and feeding of UPN, Microsoft Technet has an extensive article on naming conventions in Active Directory. If you have other issues with UPN in your IT environment, I’d suggest that you take a look at the Petri forums, which include discussion of such UPN topics as having multiple UPNs in your AD forest, or creating a custom UPN suffix for an OU. My Petri IT Knowledgebase colleague John O’Neill, Sr., also touches on UPN configuration in his article about integrating active directory with Office 365