RE: [ActiveDir] Do I really need to add UPNs?

[Jimmy Andersson]

Brothers in arms...??????? COME ON RICK! It's Dean..... I've go an idea..... let's discuss it offline ;)   BTW, Dean I'm just the Indian Swede with a bizzare life according to Rick... :) LOL!!!! Do the word Geotard come to mind ;)

 

/The Swede

-------------------------------------
    Jimmy Andersson, Q Advice AB        
         Principal Advisor    
 Microsoft MVP - Directory Services
---------- www.qadvice.com ----------

 

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Saturday, March 20, 2004 7:05 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Do I really need to add UPNs?

Oh, yeah - I remember the last heated discussion.  When you've got Stuart on the run, you don't give up, do you?  ;o)

 

Looking forward to some 'brothers-in-arms' time in Redmond.

 

Rick Kingslan  MCSE, MCSA, MCT, CISSP
Microsoft MVP:
Windows Server / Directory Services
Windows Server / Rights Management
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
WebLog - www.msmvps.com/willhack4food
 

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Saturday, March 20, 2004 7:32 AM
To: AD mailing list (Send)
Subject: RE: [ActiveDir] Do I really need to add UPNs?

Great answer ... indeed they are.  Most of the info. is maintained as a blob (msDS-trustForestTrustInfo off the top of my head) on the representative TDO which, as you said, replicates to forest local GCs in order to allow CrackNames to resolve foreign-forest namespaces ... this particular attribute has been the cause of many a heated debate between myself and some Microsoft guys but that's another story entirely.

 

PS - Can't take yer liquor huh Joe? :-)

 

See you guys at the summit.

 

--
Dean Wells
MSEtechnology
( Tel: +1 (954) 501-4307
* Email: dwells@msetechnology.com
http://msetechnology.com

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1)
Sent: Saturday, March 20, 2004 4:30 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Do I really need to add UPNs?

actually I had to think some more about what I had posted - I believe the "officially" added UPNs are also stored in the respective TDO object of the trusting domain, which replicates to all the GCs of the own domain.  This is how a DC in the trusting forest will know where to pass on the request if you logon to a workstation in the trusting forest with a UPN defined in the trusted forest.  In addition - as mentioned before - you'll only be able to perform restrictions on these UPN suffixes when added to the upnSuffixes attribute.

 

So I guess when you're using forest trusts and you do want to allow the "other" (not the implicit) UPNs for logon in the trusting forest, you'll have to add them to the attribute.

 

But I guess I still earned the beer ;-)  Won't I be on my way until another 6 hours.

 

Cheers,

Guido

---

From: joe [mailto:[EMAIL PROTECTED]
Sent: Samstag, 20. März 2004 03:22
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Do I really need to add UPNs?

Ah, see I may be getting old but I can kind of remember. :o)

 

Thanks for the assist Guido. You have earned one crappy American Beer when you get here. Heck you may already be on the way. :o)

 

-------------

http://www.joeware.net   (download joeware)

http://www.cafeshops.com/joewarenet  (wear joeware)

 

 

 

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1)
Sent: Friday, March 19, 2004 3:32 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Do I really need to add UPNs?

Adding the UPN suffixes to the list of alternate UPNs will enable configuration of TLN restrictions (Top-Level Name restrictions) for forest trusts (i.e. transitive trust between two 2003 forests). The UI lists the available UPN suffixes of the trusted forest incl. the stored alternate UPNs and allows you to configure which ones you allow to be used "accross the trust" for authentication.  This is a must, if your UPN isn't a subordinate of the top level name of your root (e.g. TLN of root = "mycompany.net", but your alternative UPN suffix is "othercompany.net"). 

 

Alternative UPNs which are subordinates (e.g. "otherOrg.mycompany.net") can be added manually within the wizard by adding exceptions for your existing root-UPN suffix.

 

/Guido

---

From: joe [mailto:[EMAIL PROTECTED]
Sent: Freitag, 19. März 2004 01:10
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Do I really need to add UPNs?

Crap I knew the answer to this at one point... I must have reached the end of my event log and am now overwriting...

 

It is for the GUI but there is something else that looks at that and if it isn't populated it doesn't know to take that UPN Suffix into account.... I want to say it has something to with Forest Trusts but I could be way out in left field. Basically *something* looks at the possible UPN Suffixes and that is all that will be allowed for this or that. Sorry to be so vague but I can't recall what *it* is. If I recall I will come back and post but I did want to get something up here to say I had seen *something* at one point concerning this. Maybe Eric or Guido or Dean has something they can think of really quick...

 

-------------

http://www.joeware.net   (download joeware)

http://www.cafeshops.com/joewarenet  (wear joeware)

 

 

 

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Thursday, March 18, 2004 5:03 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Do I really need to add UPNs?

Using the GUI, I can add a new UPN by opening "AD Domains and Trusts", right clicking on the top item in the left pane and selecting properties. If I want to add it via script, I use Robbie's recipe 6.32.

 

But I can create all the users I want programmatically with any UPN I want without putting that UPN into the uPNSuffixes attribute.

 

Is the only purpose for this attribute to make it easier in ADU&C to pick a UPN value?