Step by Step: Add a UPN Domain in Windows Server

The Problem

A very common issue when moving an organization from an on-premises Exchange environment to Office 365 is non-usable domain names. The issue happens because a domain name of the Active Directory Domain has one of these issues:

  1. The Domain used by AD is not “owned” by the organization. This issue happens when a company decides to use a specific domain name on their Internal network when they have either lost control of that domain name or never had control of it.
  2. The Domain used by AD uses a non-public TLD. Much more common than number 1, this happens when organizations use a domain name that is not usable on the public Internet. IANA maintains a list of domain names that can be used on the Internet. If the last part of your AD domain doesn’t match one of those Top Level Domains, you will have some issues moving to O365.

The problem that will come up with these configurations is that those domains can’t be used as a login name for O365 accounts. This is because O365 follows a username convention called User Principal Names (UPNs). UPNs follow the convention, and if the portion of the UPN isn’t available on the Internet, O365 can’t use it.

The Fix

There isn’t a hard fix for this issue, but there is a way to work around it. To do so, you need to do a couple different things. First, you need to add a new UPN to your Domain. Then you need to change all the users in the environment to use the new UPN.

Add a UPN

Adding a UPN is pretty simple. First, go into Active Directory Domains and Trusts on your Domain Controller and follow these steps:

  1. Right click on “Active Directory Domains and Trusts” and select Properties
    Add a UPN Step 1
  2. Enter the new domain you want to add, click the Add button, then click Okay.
    Add a UPN Step 2
  3. No Step 3. UPN is added and can be assigned to users.

Assign the UPN

Assigning the new UPN to user accounts can be done in a couple of different ways. First, we’ll show you the GUI way, then I’ll give you a script to apply the change to the whole domain.

  1. Find a specific user in AD. Right click, select Properties (Or double click) to open the account properties screen (shown below)
    Assign a UPN Step 2
  2. Click on the Account tab and look under “User Logon Name.” This is the UPN. It’s generated by taking the SAMACCOUNTNAME attribute (the Pre Windows 2000 logon name) and appending a UPN domain. This will need to be changed by clicking to domain part of the UPN and selecting the domain we added above.
    Assign UPN Step 2
  3. It’s possible to do this with a script as well if you want to do all users in one shot. I have one on Technet that you can use. There are plenty others.
  4. I *highly* recommend making sure the UPN matches the user’s email address. This will save you and your users a mountain full of grief.

From Now On…

Once you’ve got the above stuff done, you will want to make sure that new users get the UPN suffix changed. You can’t change the default UPN suffix, as that will always be the original domain name of the AD Domain. However, it is fairly simple to just click on the Account tab and switch the suffix before creating the user. If all else fails, you can just run the script to change the suffix again. If you don’t change it and you’re running O365 with Azure AD Connect, well, you’ll find out that you goofed when your new user shows up with a username of You can fix it then by just changing the UPN on-prem and forcing a sync.

Leave a Reply