What console will you use to configure additional UPN suffixes for your domain?

You can simplify the management of Active Directory (AD) login names and improve the user login experience by adding alternate user principal name (UPN) suffixes to your Amazon Managed Microsoft AD directory. To do that, you must be logged on with the Admin account or with an account that is a member of the Amazon Delegated User Principal Name Suffix Administrators group. For more information about this group, see What gets created.

To add alternate UPN suffixes

1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

2. Locate an Amazon EC2 instance that is joined to your Amazon Managed Microsoft AD directory. Select the instance and then choose Connect.

3. In the Server Manager window, choose Tools. Then choose Active Directory Domains and Trusts.

4. In the left pane, right-click Active Directory Domains and Trusts and then choose Properties .

5. In the UPN Suffixes tab, type an alternative UPN suffix (such as sales.example.com). Choose Add and then choose Apply.

6. If you need to add additional alternative UPN suffixes, repeat step 5 until you have the UPN suffixes you require.

   Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

   GaryReynolds answered • Dec 6, '21 | EavenHuang commented • Dec 7, '21

   Hi @EavenHuang

   If the extra UPN suffix is being display for all users, then additional UPN has been added to the CN=uPNSuffixes,CN=Partitions,CN=Configuration,DC=x,DC=x and should be displayed in the properties dialog in the Domains and Trusts console, but it's probably worth checking the attribute directly to make sure that nothing is set in case the console is not displaying it for some reason.

   If the extra UPN is only displayed on a few users, then it's likely that a few user have had their UPN set to the additional UPN, you just need to change these users to the correct UPN. You could do a search for all users that have the other UPN by using the following LDAP query:

    (&(objectclass=user)(userPrincipalName=*@fake.com))
   

   
   

   Gary.
   

   Comment

   Comment · Show 6

   Comment

   5 |1600 characters needed characters left characters exceeded

   ▼

   • Visible to all users
   • Visible to the original poster & Microsoft
   • Viewable by moderators
   • Viewable by moderators and the original poster
   • Advanced visibility
   Toggle Comment visibility. Current Visibility: Visible to all users

   Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

   EavenHuang · Dec 06, 2021 at 08:53 AM

   @GaryReynolds,

   Thanks a lot for your answer:) it's quite helpful.

   In our case, there is no additional UPN in Domains and Trusts console. I'm actually trying to figure out how these strange UPN suffixes were added and how to find out all of them. It's not just this fake.com, also quite some others:(

   By the way, how to use the LDAP query, I didn't notice we can query this way.

   0 Votes 0 ·

   EavenHuang · Dec 06, 2021 at 09:09 AM

   Hi Gary @GaryReynolds,

   Now I figured out how to run the query, good point! I didn't know that before:(

   Quick question - do you have an idea how to run a query where I can see all the userPrincipalName except the default one? As I mentioned, I would like to check what other strange domain suffixes are existing in our AD.

   Thanks a lot for your help!

   0 Votes 0 ·

   GaryReynolds EavenHuang · Dec 06, 2021 at 10:39 AM

   Hi,

   You can use this query, where real.cn is UPN that should be set, it will return all users that don't have the correct UPN:

    (&(objectclass=user)(!userPrincipalName=*@real.cn))
   

   
   
   

   Gary.

   1 Vote 1 ·

   EavenHuang · Dec 07, 2021 at 12:47 AM

   Thanks Gary, that's cool and well learned!

   I've checked and found there were many different users with different UPN suffixes, but those wrong suffixes were displayed respectively. i.e. A user has the suffix @wrong.cn, B user has the suffix @wrong2.com, all different from each other.

   Do you have any idea how come this happened? When a new user was created, somewhere their suffix could be customized?

   0 Votes 0 ·

   GaryReynolds EavenHuang · Dec 07, 2021 at 09:27 AM

   
   

   Through ADUC there is a selection for the upn, however, if other tools are used to create the user any upn can entered/set. It probably means that another tools has been used to create the user, that or someone has changed the upn after the user has been created.

   You can confirm if the upn has been changed after the user has been created by looking the meta data for the user objects. If you look at this article it will show how to display the meta data for the object. It will show the upn with a higher version number than the samaccountname, if the upn has been changed after the user was created.

   Gary.

   
   

   0 Votes 0 ·

   EavenHuang GaryReynolds · Dec 07, 2021 at 11:35 PM

   Hi Gary @GaryReynolds,

   The article you shared is with 403 error now:( Anyway, thanks for all your reply.

   We have ERP system where users can also be created and that's where things went wrong. We are all good with this case now:)

   What is UPN suffix in Active Directory?

   In Active Directory, the default UPN suffix is the DNS name of the domain where you created the user account. In most cases, this is the domain name that you register as the enterprise domain on the internet. If you create the user account in the contoso.com domain, the default UPN is. [email protected].

   What is UPN in powershell?

   In Microsoft Active Directory, a User Principal Name (UPN) is a username and domain in an email address format. In a UPN, the username is followed by a separator "at sign" (@) followed by the active directory's internet domain.

   Where is UPN in Active Directory users and Computers?

   On the Domain Controller, open "Active Directory Users and Computers" (Start | Run | type: dsa. msc | press return). Locate the account, right-click and choose Properties. Select the Account tab, under "User logon name", ensure that both fields that make up the UPN are populated.