Exchange Server and UPN Suffixes for an OU

by Bharat Suneja

What’s a UPN?

Back from the Windows NT days and NetBIOS-style NT domain names, we’ve been used to logging in using the DOMAIN\Username format. With the shift to Active Directory in Windows 2000 Server, we have the ability to use a User Principal Name, which is a login that looks like (and can be generally made to match) our email address – for example, [email protected].

What’s a UPN suffix?

A UPN suffix is what shows up after the @ character in your UPN. In DNS terms, this would be the domain name. In fact, Active Directory picks it up from the DNS name of the Active Directory domain, but you can add additional UPN suffixes to the Forest using Active Directory Domains and Trusts. These UPN suffixes are then available for use when creating new users.

Figure 1: Adding alternate UPN suffixes using Active Directory Domains and Trusts

Can OUs have their own UPN suffixes?

Until recently, I was oblivious of the fact that OUs can indeed have their own UPN suffixes! No, I’ve never had to use these, and there was really no way of adding them using any native Active Directory tools like ADUC. You can add a UPN suffix for an OU using tools such as ADSIEdit.

Figure 2: Adding alternate UPN suffix to an OU using ADSIEdit

In Windows 2008 R2, you don’t have to use ADSIEdit to edit attributes in a domain. Active Directory Users & Computers includes a built-in Attribute Editor.

UPN suffixes (this is a multi-valued attribute, so more than one suffixes can be added) added to an OU are then available for use when creating new users in that OU or modifying existing ones.

One effect of adding these OU-specific suffixes— if you’ve added any additional UPN suffixes for the Active Directory Forest, none of those additional UPN suffixes can be used for objects in that OU. Only the default UPN suffix (the one matching the DNS domain name) and the OU-specific suffixes are available for objects in that OU.

Another thing to note about these OU-specific UPN suffixes— they are stored in an attribute of the OU, in the Domain partition. Which brings us to our next question.

Does Exchange use OU-specific UPN suffixes?

In Exchange 2003/2000, recipient management is performed from within ADUC, so no action required from Exchange.

In Exchange 2007 and later, recipient management is performed using Exchange tools (EMC/EMS). When creating new mailboxes, Exchange 2007 does not read any OU-specific UPN suffixes.

Update: Exchange 2010 does allow you to use the OU‘s UPN suffix when creating a mailbox using the EMC or the Shell. When creating a mailbox using the EMC, if you specify the OU, Exchange shows you a) UPN suffixes for that OU b) the default UPN suffix for the Active Directory domain and root domain c) Any additional UPN suffixes for the domain. UPN suffixes for other OUs are not displayed in the drop-down.

Exchange 2013 At the time of writing, EAC, the new web-based admin console in Exchange 2013, does not allow you to select any OU-specific UPN suffixes.

Does Exchange 2007 prevent you from using OU-specific UPN suffixes?

No. If you create recipients in ADUC or using any other tools or scripts, and Exchange comes across an object that has a UPN-specific suffix, it does not prevent you from using it.

Previous post:

Next post: