users objects with 2 UPNS - default connection broke

We have a AD domain with .local extension, that is different from our actual domain. So, at user object level in AD, Primary UPN: logonname@addomain.local

To implement Office365, we needed to have the actual domain. So when creating user objects, we set UPN as logonname@actualdomain.edu. So, the New primary UPN: logonname@actualdomain.edu.

After we changed the primary UPN, I am able to see 2 UPN dropdowns in the account management tab. The first one was @actualdomain.edu and the second one was @addomain.local(default).

We were thinking that, when users login, they can use either one of these @UPNs but as soon as we added the logonname@actualdomain.edu as the primary UPN, it broke the existing connection (@addomain.local). Applications with addomain.local\username broke. What are we doing wrong? Should we add alternate Upn(or UPNSuffixes) at domain level or at the OU level?


  • Edited by fim_sc 11 hours 41 minutes ago
September 1st, 2015 3:29pm

Each user can have only one value assigned to userPrincipalName. It is single valued. However, users can always logon with

<sAMAccountName>@<dns domain name>

For example, if the sAMAccountName (pre-Windows 2000 logon name) is jsmith, and the domain is mydomain.com, the user can always logon using jsmith@mydomain.com. If userPrincipalName is assigned to be jks@otherdomain.com, then the user can also logon with that name, as long as it is unique. Note that <sAMAccountName>@<dns domain name> will always be unique.

When you assign userPrincipalName in ADUC (it is called user logon name) you assign a upnSuffix from the pulldown menu. That pulldown can be multi-valued, but only one upnSuffix can be assigned to the user at a time.

Free Windows Admin Tool Kit Click here and download it now
September 1st, 2015 8:27pm

this is what I see in my environment.

User logon name:

abc @dnsdomainname.edu (the second value in the dropdown is addomainname.local)

User logon name (pre-windows 2000):

addomainname\  abc

For users to log on using dnsdomainname.edu, should that be added to Upn suffixes at domain level? Is it necessary? When we added the @dnsdomainname.edu to UPN, abc@addomainname.local stopped working eventhough user logon name (pre-windows)stayed the same.

September 1st, 2015 9:30pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics