Monday, August 24, 2009 11:17 PM
Using multiple UPN suffixes for users in single directory
ActiveDir.org is always a source of all sorts of directory related discussion. In most cases interesting once. I have to admit that I would like to have more time to catch up with ActiveDir.org and to be more active there (note to self) but with Wojtek @ home (he’s growing) it is getting even harder then before.
BTW – if you want to look for something AD related you can use custom search engine which was put together by Rick, one of ActiveDir.org members.
Today I was lurking through posts and I found discussion about using multiple UPN suffixes within a domain, and by multiple member who asked this question was meaning few thousands. This configuration was intended to allow some users (partners) to log on with their e-mail addresses to hosted directory.
Few useful information were thrown in the thread. Quick summary:
- GUI limits number of suffixes possible to be entered at forest level to 850 (Andrew Levicki), more can be added with scripts
- more means ~1300 in Windows 2003 and later UPN suffixes which can be stored in upnSuffixes attribute on CN=Partitions,<configuration partition> and with script you can enter whatever you like for specific user (joe). It is UI which enforces forest wide suffixes on user object. And You have to be careful if it is configuration with forest trust . But for that number of users and suffixes probably GUI won’t be preferred tool.
- We have explicit and implicit types of UPNs (Rick S.). See also KB 929272.
- If you want to use GUI anyway you can easily extend context menu with some script which will allow you to set desired UPN suffix for a user (Jorge).
Last comment from Jorge about extending UI in this way my eye as there is a bit more comfortable option if you want to have option to set different UPN suffix for users in hosted (or similar environment) which is often omitted. This is setting upnSuffixes attribute on OU level.
If users which will share common UPN suffix can be grouped in single OU structure (for example users from single partner company) one can set upnSuffixes attribute at OU level for desired value
This value will be later presented in GUI when new user will be created, among with other UPN suffixes configured for a forest.
Voile … and its done. Problem is that for another OU in this structure the same value (or different) will have to be set, as this information is not inherited from parent OU.
But I will agree with joe – with that number of users probably GUI won’t be preferred tool. But anyway … it is good to know and maybe somebody will benefit from this knowledge.
 - Using multiple UPN suffixes you have to remember that as long as these suffixes are only being used within single forest they are not so important. However with multiple forests UPN suffixes are being used to route authentication requests so you don’t want to get it broken so plan for it before you will deploy it in production.