RE: [ActiveDir] Do I really need to add UPNs?
I used to be able to. I don't practice like I used to though and you know what happens when you don't practice enough. :o) See ya there... - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Saturday, March 20, 2004 8:32 AMTo: AD mailing list (Send)Subject: RE: [ActiveDir] Do I really need to add UPNs? Great answer ... indeed they are. Most of the info. is maintained as a blob (msDS-trustForestTrustInfo off the top of my head) on the representative TDO which, as you said, replicates to forest local GCs in order to allow CrackNames to resolve foreign-forest namespaces ... this particular attribute has been the cause of many a heated debate between myself and some Microsoft guys but that's another story entirely. PS - Can't take yer liquor huh Joe? :-) See you guys at the summit. -- Dean Wells MSEtechnology ( Tel: +1 (954) 501-4307 * Email: dwells@msetechnology.com http://msetechnology.com -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Saturday, March 20, 2004 4:30 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? actually I had to think some more about what I had posted - I believe the "officially" added UPNs are also stored in the respective TDO object of the trusting domain, which replicates to all the GCs of the own domain. This is how a DC in the trusting forest will know where to pass on the request if you logon to a workstation in the trusting forest with a UPN defined in the trusted forest. In addition - as mentioned before - you'll only be able to perform restrictions on these UPN suffixeswhen added to the upnSuffixes attribute. So I guess when you're using forest trusts and you do want to allow the "other" (not the implicit) UPNs for logon in the trusting forest, you'll have to add them to the attribute. But I guess I still earned the beer ;-) Won't I be on my way until another 6 hours. Cheers, Guido From: joe [mailto:[EMAIL PROTECTED] Sent: Samstag, 20. März 2004 03:22To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Ah, see I may be getting old but I can kind of remember. :o) Thanks for the assist Guido. You have earned one crappy American Beer when you get here. Heck you may already be on the way. :o) - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Friday, March 19, 2004 3:32 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Adding the UPN suffixes to the list of alternate UPNs will enable configuration of TLN restrictions (Top-Level Name restrictions) for forest trusts (i.e. transitive trust between two 2003 forests). The UI lists the available UPN suffixes of the trusted forest incl. the stored alternate UPNs and allows you to configure which ones you allow to be used "accross the trust" for authentication. This is a must, if your UPN isn't a subordinate of the top level name of your root (e.g. TLN of root = "mycompany.net", but your alternative UPN suffix is "othercompany.net"). Alternative UPNs which are subordinates (e.g. "otherOrg.mycompany.net") can be added manually within the wizard by adding exceptions for your existing root-UPN suffix. /Guido From: joe [mailto:[EMAIL PROTECTED] Sent: Freitag, 19. März 2004 01:10To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Crap I knew the answer to this at one point... I must have reached the end of my event log and am now overwriting... It is for the GUI but there is something else that looks at that and if it isn't populated it doesn't know to take that UPN Suffix into account I want to say it has something to with Forest Trusts but I could be way out in left field. Basically *something* looks at the possible UPN Suffixes and that is all that will be allowed for this or that. Sorry to be so vague but I can't recall what *it* is. If I recall I will come back and post but I did want to get something up here to say I had seen *something* at one point concerning this. Maybe Eric or Guido or Dean has something they can think of really quick... - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Thursday, March 18, 2004 5:03 PMTo: [EMAIL PROTECTED]Subject: [Activ
RE: [ActiveDir] Do I really need to add UPNs?
actually I had to think some more about what I had posted - I believe the "officially" added UPNs are also stored in the respective TDO object of the trusting domain, which replicates to all the GCs of the own domain. This is how a DC in the trusting forest will know where to pass on the request if you logon to a workstation in the trusting forest with a UPN defined in the trusted forest. In addition - as mentioned before - you'll only be able to perform restrictions on these UPN suffixeswhen added to the upnSuffixes attribute. So I guess when you're using forest trusts and you do want to allow the "other" (not the implicit) UPNs for logon in the trusting forest, you'll have to add them to the attribute. But I guess I still earned the beer ;-) Won't I be on my way until another 6 hours. Cheers, Guido From: joe [mailto:[EMAIL PROTECTED] Sent: Samstag, 20. März 2004 03:22To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Ah, see I may be getting old but I can kind of remember. :o) Thanks for the assist Guido. You have earned one crappy American Beer when you get here. Heck you may already be on the way. :o) - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Friday, March 19, 2004 3:32 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Adding the UPN suffixes to the list of alternate UPNs will enable configuration of TLN restrictions (Top-Level Name restrictions) for forest trusts (i.e. transitive trust between two 2003 forests). The UI lists the available UPN suffixes of the trusted forest incl. the stored alternate UPNs and allows you to configure which ones you allow to be used "accross the trust" for authentication. This is a must, if your UPN isn't a subordinate of the top level name of your root (e.g. TLN of root = "mycompany.net", but your alternative UPN suffix is "othercompany.net"). Alternative UPNs which are subordinates (e.g. "otherOrg.mycompany.net") can be added manually within the wizard by adding exceptions for your existing root-UPN suffix. /Guido From: joe [mailto:[EMAIL PROTECTED] Sent: Freitag, 19. März 2004 01:10To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Crap I knew the answer to this at one point... I must have reached the end of my event log and am now overwriting... It is for the GUI but there is something else that looks at that and if it isn't populated it doesn't know to take that UPN Suffix into account I want to say it has something to with Forest Trusts but I could be way out in left field. Basically *something* looks at the possible UPN Suffixes and that is all that will be allowed for this or that. Sorry to be so vague but I can't recall what *it* is. If I recall I will come back and post but I did want to get something up here to say I had seen *something* at one point concerning this. Maybe Eric or Guido or Dean has something they can think of really quick... - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Thursday, March 18, 2004 5:03 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Do I really need to add UPNs? Using the GUI, I can add a new UPN by opening "AD Domains and Trusts", right clicking on the top item in the left pane and selecting properties. If I want to addit via script, I use Robbie's recipe 6.32. But I can create all the users I want programmaticallywith any UPN I want without putting that UPN into the uPNSuffixes attribute. Is the only purpose for this attribute to make it easier in ADUC to pick a UPN value?
RE: [ActiveDir] Do I really need to add UPNs?
there'll be quite a few more folks standing at the bar that you'd love to chat with... - really worth it! From: joe [mailto:[EMAIL PROTECTED] Sent: Samstag, 20. März 2004 04:44To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Poor excuse, you learn better when people are standing around ripping on you. Sort of like being thrown in the middle of the lake. Anyway, who says I won't be the one doing all the learning? We will expect to see you at the bar in the Hyatt Sunday, Monday, Tuesday, Wednesday. I'll be the one being propped up Guido,Robbie, and Gil. My boss will be there too and you can ask how in the world he can put up with me. - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Friday, March 19, 2004 9:42 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? I'm onlyan hour and a halfaway, but I came to the conclusion that I wasn't ready to be in the same place with all you real experts. :-P Performance anxiety, you know. :-P -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of joeSent: Friday, March 19, 2004 9:22 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Ah, see I may be getting old but I can kind of remember. :o) Thanks for the assist Guido. You have earned one crappy American Beer when you get here. Heck you may already be on the way. :o) - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Friday, March 19, 2004 3:32 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Adding the UPN suffixes to the list of alternate UPNs will enable configuration of TLN restrictions (Top-Level Name restrictions) for forest trusts (i.e. transitive trust between two 2003 forests). The UI lists the available UPN suffixes of the trusted forest incl. the stored alternate UPNs and allows you to configure which ones you allow to be used "accross the trust" for authentication. This is a must, if your UPN isn't a subordinate of the top level name of your root (e.g. TLN of root = "mycompany.net", but your alternative UPN suffix is "othercompany.net"). Alternative UPNs which are subordinates (e.g. "otherOrg.mycompany.net") can be added manually within the wizard by adding exceptions for your existing root-UPN suffix. /Guido From: joe [mailto:[EMAIL PROTECTED] Sent: Freitag, 19. März 2004 01:10To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Crap I knew the answer to this at one point... I must have reached the end of my event log and am now overwriting... It is for the GUI but there is something else that looks at that and if it isn't populated it doesn't know to take that UPN Suffix into account I want to say it has something to with Forest Trusts but I could be way out in left field. Basically *something* looks at the possible UPN Suffixes and that is all that will be allowed for this or that. Sorry to be so vague but I can't recall what *it* is. If I recall I will come back and post but I did want to get something up here to say I had seen *something* at one point concerning this. Maybe Eric or Guido or Dean has something they can think of really quick... - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Thursday, March 18, 2004 5:03 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Do I really need to add UPNs? Using the GUI, I can add a new UPN by opening "AD Domains and Trusts", right clicking on the top item in the left pane and selecting properties. If I want to addit via script, I use Robbie's recipe 6.32. But I can create all the users I want programmaticallywith any UPN I want without putting that UPN into the uPNSuffixes attribute. Is the only purpose for this attribute to make it easier in ADUC to pick a UPN value?
RE: [ActiveDir] Do I really need to add UPNs?
It will only take three to prop me up though... See you in Reston Michael. ;o) - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Saturday, March 20, 2004 4:32 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? there'll be quite a few more folks standing at the bar that you'd love to chat with... - really worth it! From: joe [mailto:[EMAIL PROTECTED] Sent: Samstag, 20. März 2004 04:44To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Poor excuse, you learn better when people are standing around ripping on you. Sort of like being thrown in the middle of the lake. Anyway, who says I won't be the one doing all the learning? We will expect to see you at the bar in the Hyatt Sunday, Monday, Tuesday, Wednesday. I'll be the one being propped up Guido,Robbie, and Gil. My boss will be there too and you can ask how in the world he can put up with me. - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Friday, March 19, 2004 9:42 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? I'm onlyan hour and a halfaway, but I came to the conclusion that I wasn't ready to be in the same place with all you real experts. :-P Performance anxiety, you know. :-P -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of joeSent: Friday, March 19, 2004 9:22 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Ah, see I may be getting old but I can kind of remember. :o) Thanks for the assist Guido. You have earned one crappy American Beer when you get here. Heck you may already be on the way. :o) - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Friday, March 19, 2004 3:32 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Adding the UPN suffixes to the list of alternate UPNs will enable configuration of TLN restrictions (Top-Level Name restrictions) for forest trusts (i.e. transitive trust between two 2003 forests). The UI lists the available UPN suffixes of the trusted forest incl. the stored alternate UPNs and allows you to configure which ones you allow to be used "accross the trust" for authentication. This is a must, if your UPN isn't a subordinate of the top level name of your root (e.g. TLN of root = "mycompany.net", but your alternative UPN suffix is "othercompany.net"). Alternative UPNs which are subordinates (e.g. "otherOrg.mycompany.net") can be added manually within the wizard by adding exceptions for your existing root-UPN suffix. /Guido From: joe [mailto:[EMAIL PROTECTED] Sent: Freitag, 19. März 2004 01:10To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Crap I knew the answer to this at one point... I must have reached the end of my event log and am now overwriting... It is for the GUI but there is something else that looks at that and if it isn't populated it doesn't know to take that UPN Suffix into account I want to say it has something to with Forest Trusts but I could be way out in left field. Basically *something* looks at the possible UPN Suffixes and that is all that will be allowed for this or that. Sorry to be so vague but I can't recall what *it* is. If I recall I will come back and post but I did want to get something up here to say I had seen *something* at one point concerning this. Maybe Eric or Guido or Dean has something they can think of really quick... - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Thursday, March 18, 2004 5:03 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Do I really need to add UPNs? Using the GUI, I can add a new UPN by opening "AD Domains and Trusts", right clicking on the top item in the left pane and selecting properties. If I want to addit via script, I use Robbie's recipe 6.32. But I can create all the users I want programmaticallywith any UPN I want without putting that UPN into the uPNSuffixes attribute. Is the only purpose for this attribute to make it easier in ADUC to pick a UPN value?
RE: [ActiveDir] Do I really need to add UPNs?
Great answer ... indeed they are. Most of the info. is maintained as a blob (msDS-trustForestTrustInfo off the top of my head) on the representative TDO which, as you said, replicates to forest local GCs in order to allow CrackNames to resolve foreign-forest namespaces ... this particular attribute has been the cause of many a heated debate between myself and some Microsoft guys but that's another story entirely. PS - Can't take yer liquor huh Joe? :-) See you guys at the summit. -- Dean Wells MSEtechnology ( Tel: +1 (954) 501-4307 * Email: dwells@msetechnology.com http://msetechnology.com -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Saturday, March 20, 2004 4:30 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? actually I had to think some more about what I had posted - I believe the "officially" added UPNs are also stored in the respective TDO object of the trusting domain, which replicates to all the GCs of the own domain. This is how a DC in the trusting forest will know where to pass on the request if you logon to a workstation in the trusting forest with a UPN defined in the trusted forest. In addition - as mentioned before - you'll only be able to perform restrictions on these UPN suffixeswhen added to the upnSuffixes attribute. So I guess when you're using forest trusts and you do want to allow the "other" (not the implicit) UPNs for logon in the trusting forest, you'll have to add them to the attribute. But I guess I still earned the beer ;-) Won't I be on my way until another 6 hours. Cheers, Guido From: joe [mailto:[EMAIL PROTECTED] Sent: Samstag, 20. März 2004 03:22To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Ah, see I may be getting old but I can kind of remember. :o) Thanks for the assist Guido. You have earned one crappy American Beer when you get here. Heck you may already be on the way. :o) - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Friday, March 19, 2004 3:32 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Adding the UPN suffixes to the list of alternate UPNs will enable configuration of TLN restrictions (Top-Level Name restrictions) for forest trusts (i.e. transitive trust between two 2003 forests). The UI lists the available UPN suffixes of the trusted forest incl. the stored alternate UPNs and allows you to configure which ones you allow to be used "accross the trust" for authentication. This is a must, if your UPN isn't a subordinate of the top level name of your root (e.g. TLN of root = "mycompany.net", but your alternative UPN suffix is "othercompany.net"). Alternative UPNs which are subordinates (e.g. "otherOrg.mycompany.net") can be added manually within the wizard by adding exceptions for your existing root-UPN suffix. /Guido From: joe [mailto:[EMAIL PROTECTED] Sent: Freitag, 19. März 2004 01:10To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Crap I knew the answer to this at one point... I must have reached the end of my event log and am now overwriting... It is for the GUI but there is something else that looks at that and if it isn't populated it doesn't know to take that UPN Suffix into account I want to say it has something to with Forest Trusts but I could be way out in left field. Basically *something* looks at the possible UPN Suffixes and that is all that will be allowed for this or that. Sorry to be so vague but I can't recall what *it* is. If I recall I will come back and post but I did want to get something up here to say I had seen *something* at one point concerning this. Maybe Eric or Guido or Dean has something they can think of really quick... - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Thursday, March 18, 2004 5:03 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Do I really need to add UPNs? Using the GUI, I can add a new UPN by opening "AD Domains and Trusts", right clicking on the top item in the left pane and selecting properties. If I want to addit via script, I use Robbie's recipe 6.32. But I can create all the users I want programmaticallywith any UPN I want without putting that UPN into the uPNSuffixes attribute. Is the only purpose for this attribute to make it easier in ADUC to pick a UPN value?
RE: [ActiveDir] Do I really need to add UPNs?
Oh, yeah - I remember the last heated discussion. When you've got Stuart on the run, you don't give up, do you? ;o) Looking forward to some 'brothers-in-arms' time in Redmond. Rick Kingslan MCSE, MCSA, MCT, CISSPMicrosoft MVP:Windows Server / Directory ServicesWindows Server / Rights ManagementAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzoneWebLog - www.msmvps.com/willhack4food From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Saturday, March 20, 2004 7:32 AMTo: AD mailing list (Send)Subject: RE: [ActiveDir] Do I really need to add UPNs? Great answer ... indeed they are. Most of the info. is maintained as a blob (msDS-trustForestTrustInfo off the top of my head) on the representative TDO which, as you said, replicates to forest local GCs in order to allow CrackNames to resolve foreign-forest namespaces ... this particular attribute has been the cause of many a heated debate between myself and some Microsoft guys but that's another story entirely. PS - Can't take yer liquor huh Joe? :-) See you guys at the summit. -- Dean Wells MSEtechnology ( Tel: +1 (954) 501-4307 * Email: dwells@msetechnology.com http://msetechnology.com -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Saturday, March 20, 2004 4:30 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? actually I had to think some more about what I had posted - I believe the "officially" added UPNs are also stored in the respective TDO object of the trusting domain, which replicates to all the GCs of the own domain. This is how a DC in the trusting forest will know where to pass on the request if you logon to a workstation in the trusting forest with a UPN defined in the trusted forest. In addition - as mentioned before - you'll only be able to perform restrictions on these UPN suffixeswhen added to the upnSuffixes attribute. So I guess when you're using forest trusts and you do want to allow the "other" (not the implicit) UPNs for logon in the trusting forest, you'll have to add them to the attribute. But I guess I still earned the beer ;-) Won't I be on my way until another 6 hours. Cheers, Guido From: joe [mailto:[EMAIL PROTECTED] Sent: Samstag, 20. März 2004 03:22To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Ah, see I may be getting old but I can kind of remember. :o) Thanks for the assist Guido. You have earned one crappy American Beer when you get here. Heck you may already be on the way. :o) - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Friday, March 19, 2004 3:32 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Adding the UPN suffixes to the list of alternate UPNs will enable configuration of TLN restrictions (Top-Level Name restrictions) for forest trusts (i.e. transitive trust between two 2003 forests). The UI lists the available UPN suffixes of the trusted forest incl. the stored alternate UPNs and allows you to configure which ones you allow to be used "accross the trust" for authentication. This is a must, if your UPN isn't a subordinate of the top level name of your root (e.g. TLN of root = "mycompany.net", but your alternative UPN suffix is "othercompany.net"). Alternative UPNs which are subordinates (e.g. "otherOrg.mycompany.net") can be added manually within the wizard by adding exceptions for your existing root-UPN suffix. /Guido From: joe [mailto:[EMAIL PROTECTED] Sent: Freitag, 19. März 2004 01:10To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Crap I knew the answer to this at one point... I must have reached the end of my event log and am now overwriting... It is for the GUI but there is something else that looks at that and if it isn't populated it doesn't know to take that UPN Suffix into account I want to say it has something to with Forest Trusts but I could be way out in left field. Basically *something* looks at the possible UPN Suffixes and that is all that will be allowed for this or that. Sorry to be so vague but I can't recall what *it* is. If I recall I will come back and post but I did want to get something up here to say I had seen *something* at one point concerning this. Maybe Eric or Guido or Dean has something they can think of really quick... - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) Fr
RE: [ActiveDir] Do I really need to add UPNs?
Brothers in arms...??? COME ON RICK! It's Dean. I've go an idea. let's discuss it offline ;) BTW, Dean I'm just the Indian Swede with a bizzare life according to Rick... :) LOLDo the word Geotard come to mind ;) /The Swede - Jimmy Andersson, Q Advice AB Principal AdvisorMicrosoft MVP - Directory Services-- www.qadvice.com -- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Saturday, March 20, 2004 7:05 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Oh, yeah - I remember the last heated discussion. When you've got Stuart on the run, you don't give up, do you? ;o) Looking forward to some 'brothers-in-arms' time in Redmond. Rick Kingslan MCSE, MCSA, MCT, CISSPMicrosoft MVP:Windows Server / Directory ServicesWindows Server / Rights ManagementAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzoneWebLog - www.msmvps.com/willhack4food From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Saturday, March 20, 2004 7:32 AMTo: AD mailing list (Send)Subject: RE: [ActiveDir] Do I really need to add UPNs? Great answer ... indeed they are. Most of the info. is maintained as a blob (msDS-trustForestTrustInfo off the top of my head) on the representative TDO which, as you said, replicates to forest local GCs in order to allow CrackNames to resolve foreign-forest namespaces ... this particular attribute has been the cause of many a heated debate between myself and some Microsoft guys but that's another story entirely. PS - Can't take yer liquor huh Joe? :-) See you guys at the summit. -- Dean Wells MSEtechnology ( Tel: +1 (954) 501-4307 * Email: dwells@msetechnology.com http://msetechnology.com -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Saturday, March 20, 2004 4:30 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? actually I had to think some more about what I had posted - I believe the "officially" added UPNs are also stored in the respective TDO object of the trusting domain, which replicates to all the GCs of the own domain. This is how a DC in the trusting forest will know where to pass on the request if you logon to a workstation in the trusting forest with a UPN defined in the trusted forest. In addition - as mentioned before - you'll only be able to perform restrictions on these UPN suffixeswhen added to the upnSuffixes attribute. So I guess when you're using forest trusts and you do want to allow the "other" (not the implicit) UPNs for logon in the trusting forest, you'll have to add them to the attribute. But I guess I still earned the beer ;-) Won't I be on my way until another 6 hours. Cheers, Guido From: joe [mailto:[EMAIL PROTECTED] Sent: Samstag, 20. März 2004 03:22To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Ah, see I may be getting old but I can kind of remember. :o) Thanks for the assist Guido. You have earned one crappy American Beer when you get here. Heck you may already be on the way. :o) - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Friday, March 19, 2004 3:32 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Adding the UPN suffixes to the list of alternate UPNs will enable configuration of TLN restrictions (Top-Level Name restrictions) for forest trusts (i.e. transitive trust between two 2003 forests). The UI lists the available UPN suffixes of the trusted forest incl. the stored alternate UPNs and allows you to configure which ones you allow to be used "accross the trust" for authentication. This is a must, if your UPN isn't a subordinate of the top level name of your root (e.g. TLN of root = "mycompany.net", but your alternative UPN suffix is "othercompany.net"). Alternative UPNs which are subordinates (e.g. "otherOrg.mycompany.net") can be added manually within the wizard by adding exceptions for your existing root-UPN suffix. /Guido From: joe [mailto:[EMAIL PROTECTED] Sent: Freitag, 19. März 2004 01:10To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Crap I knew the answer to this at one point... I must have reached the end of my event log and am now overwriting... It is for the GUI but there is something else that looks at that and if it isn't populated it doesn't know to take that UPN Suffix into account I want to say it has somet
RE: [ActiveDir] Do I really need to add UPNs?
I just realized, nobody knows me on this list besides Dean, Tony and Rick I hope I'm not beeing flamed because of this. :) Regards, /Jimmy the Swede - Jimmy Andersson, Q Advice AB Principal AdvisorMicrosoft MVP - Directory Services-- www.qadvice.com -- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jimmy AnderssonSent: Saturday, March 20, 2004 10:29 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Brothers in arms...??? COME ON RICK! It's Dean. I've go an idea. let's discuss it offline ;) BTW, Dean I'm just the Indian Swede with a bizzare life according to Rick... :) LOLDo the word Geotard come to mind ;) /The Swede - Jimmy Andersson, Q Advice AB Principal AdvisorMicrosoft MVP - Directory Services-- www.qadvice.com -- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Saturday, March 20, 2004 7:05 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Oh, yeah - I remember the last heated discussion. When you've got Stuart on the run, you don't give up, do you? ;o) Looking forward to some 'brothers-in-arms' time in Redmond. Rick Kingslan MCSE, MCSA, MCT, CISSPMicrosoft MVP:Windows Server / Directory ServicesWindows Server / Rights ManagementAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzoneWebLog - www.msmvps.com/willhack4food From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Saturday, March 20, 2004 7:32 AMTo: AD mailing list (Send)Subject: RE: [ActiveDir] Do I really need to add UPNs? Great answer ... indeed they are. Most of the info. is maintained as a blob (msDS-trustForestTrustInfo off the top of my head) on the representative TDO which, as you said, replicates to forest local GCs in order to allow CrackNames to resolve foreign-forest namespaces ... this particular attribute has been the cause of many a heated debate between myself and some Microsoft guys but that's another story entirely. PS - Can't take yer liquor huh Joe? :-) See you guys at the summit. -- Dean Wells MSEtechnology ( Tel: +1 (954) 501-4307 * Email: dwells@msetechnology.com http://msetechnology.com -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Saturday, March 20, 2004 4:30 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? actually I had to think some more about what I had posted - I believe the "officially" added UPNs are also stored in the respective TDO object of the trusting domain, which replicates to all the GCs of the own domain. This is how a DC in the trusting forest will know where to pass on the request if you logon to a workstation in the trusting forest with a UPN defined in the trusted forest. In addition - as mentioned before - you'll only be able to perform restrictions on these UPN suffixeswhen added to the upnSuffixes attribute. So I guess when you're using forest trusts and you do want to allow the "other" (not the implicit) UPNs for logon in the trusting forest, you'll have to add them to the attribute. But I guess I still earned the beer ;-) Won't I be on my way until another 6 hours. Cheers, Guido From: joe [mailto:[EMAIL PROTECTED] Sent: Samstag, 20. März 2004 03:22To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Ah, see I may be getting old but I can kind of remember. :o) Thanks for the assist Guido. You have earned one crappy American Beer when you get here. Heck you may already be on the way. :o) - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Friday, March 19, 2004 3:32 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Adding the UPN suffixes to the list of alternate UPNs will enable configuration of TLN restrictions (Top-Level Name restrictions) for forest trusts (i.e. transitive trust between two 2003 forests). The UI lists the available UPN suffixes of the trusted forest incl. the stored alternate UPNs and allows you to configure which ones you allow to be used "accross the trust" for authentication. This is a must, if your UPN isn't a subordinate of the top level name of your root (e.g. TLN of root = "mycompany.net", but your alternative UPN suffix is "othercompany.net"). Alternative UPNs which are subordinates (e.g. "otherOrg.mycompany.net") can be added manually within the wizard by adding exceptions
RE: [ActiveDir] Do I really need to add UPNs?
Adding the UPN suffixes to the list of alternate UPNs will enable configuration of TLN restrictions (Top-Level Name restrictions) for forest trusts (i.e. transitive trust between two 2003 forests). The UI lists the available UPN suffixes of the trusted forest incl. the stored alternate UPNs and allows you to configure which ones you allow to be used "accross the trust" for authentication. This is a must, if your UPN isn't a subordinate of the top level name of your root (e.g. TLN of root = "mycompany.net", but your alternative UPN suffix is "othercompany.net"). Alternative UPNs which are subordinates (e.g. "otherOrg.mycompany.net") can be added manually within the wizard by adding exceptions for your existing root-UPN suffix. /Guido From: joe [mailto:[EMAIL PROTECTED] Sent: Freitag, 19. März 2004 01:10To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Crap I knew the answer to this at one point... I must have reached the end of my event log and am now overwriting... It is for the GUI but there is something else that looks at that and if it isn't populated it doesn't know to take that UPN Suffix into account I want to say it has something to with Forest Trusts but I could be way out in left field. Basically *something* looks at the possible UPN Suffixes and that is all that will be allowed for this or that. Sorry to be so vague but I can't recall what *it* is. If I recall I will come back and post but I did want to get something up here to say I had seen *something* at one point concerning this. Maybe Eric or Guido or Dean has something they can think of really quick... - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Thursday, March 18, 2004 5:03 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Do I really need to add UPNs? Using the GUI, I can add a new UPN by opening "AD Domains and Trusts", right clicking on the top item in the left pane and selecting properties. If I want to addit via script, I use Robbie's recipe 6.32. But I can create all the users I want programmaticallywith any UPN I want without putting that UPN into the uPNSuffixes attribute. Is the only purpose for this attribute to make it easier in ADUC to pick a UPN value?
RE: [ActiveDir] Do I really need to add UPNs?
Ah, see I may be getting old but I can kind of remember. :o) Thanks for the assist Guido. You have earned one crappy American Beer when you get here. Heck you may already be on the way. :o) - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Friday, March 19, 2004 3:32 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Adding the UPN suffixes to the list of alternate UPNs will enable configuration of TLN restrictions (Top-Level Name restrictions) for forest trusts (i.e. transitive trust between two 2003 forests). The UI lists the available UPN suffixes of the trusted forest incl. the stored alternate UPNs and allows you to configure which ones you allow to be used "accross the trust" for authentication. This is a must, if your UPN isn't a subordinate of the top level name of your root (e.g. TLN of root = "mycompany.net", but your alternative UPN suffix is "othercompany.net"). Alternative UPNs which are subordinates (e.g. "otherOrg.mycompany.net") can be added manually within the wizard by adding exceptions for your existing root-UPN suffix. /Guido From: joe [mailto:[EMAIL PROTECTED] Sent: Freitag, 19. März 2004 01:10To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Crap I knew the answer to this at one point... I must have reached the end of my event log and am now overwriting... It is for the GUI but there is something else that looks at that and if it isn't populated it doesn't know to take that UPN Suffix into account I want to say it has something to with Forest Trusts but I could be way out in left field. Basically *something* looks at the possible UPN Suffixes and that is all that will be allowed for this or that. Sorry to be so vague but I can't recall what *it* is. If I recall I will come back and post but I did want to get something up here to say I had seen *something* at one point concerning this. Maybe Eric or Guido or Dean has something they can think of really quick... - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Thursday, March 18, 2004 5:03 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Do I really need to add UPNs? Using the GUI, I can add a new UPN by opening "AD Domains and Trusts", right clicking on the top item in the left pane and selecting properties. If I want to addit via script, I use Robbie's recipe 6.32. But I can create all the users I want programmaticallywith any UPN I want without putting that UPN into the uPNSuffixes attribute. Is the only purpose for this attribute to make it easier in ADUC to pick a UPN value?
RE: [ActiveDir] Do I really need to add UPNs?
I'm onlyan hour and a halfaway, but I came to the conclusion that I wasn't ready to be in the same place with all you real experts. :-P Performance anxiety, you know. :-P -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of joeSent: Friday, March 19, 2004 9:22 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Ah, see I may be getting old but I can kind of remember. :o) Thanks for the assist Guido. You have earned one crappy American Beer when you get here. Heck you may already be on the way. :o) - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Friday, March 19, 2004 3:32 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Adding the UPN suffixes to the list of alternate UPNs will enable configuration of TLN restrictions (Top-Level Name restrictions) for forest trusts (i.e. transitive trust between two 2003 forests). The UI lists the available UPN suffixes of the trusted forest incl. the stored alternate UPNs and allows you to configure which ones you allow to be used "accross the trust" for authentication. This is a must, if your UPN isn't a subordinate of the top level name of your root (e.g. TLN of root = "mycompany.net", but your alternative UPN suffix is "othercompany.net"). Alternative UPNs which are subordinates (e.g. "otherOrg.mycompany.net") can be added manually within the wizard by adding exceptions for your existing root-UPN suffix. /Guido From: joe [mailto:[EMAIL PROTECTED] Sent: Freitag, 19. März 2004 01:10To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Crap I knew the answer to this at one point... I must have reached the end of my event log and am now overwriting... It is for the GUI but there is something else that looks at that and if it isn't populated it doesn't know to take that UPN Suffix into account I want to say it has something to with Forest Trusts but I could be way out in left field. Basically *something* looks at the possible UPN Suffixes and that is all that will be allowed for this or that. Sorry to be so vague but I can't recall what *it* is. If I recall I will come back and post but I did want to get something up here to say I had seen *something* at one point concerning this. Maybe Eric or Guido or Dean has something they can think of really quick... - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Thursday, March 18, 2004 5:03 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Do I really need to add UPNs? Using the GUI, I can add a new UPN by opening "AD Domains and Trusts", right clicking on the top item in the left pane and selecting properties. If I want to addit via script, I use Robbie's recipe 6.32. But I can create all the users I want programmaticallywith any UPN I want without putting that UPN into the uPNSuffixes attribute. Is the only purpose for this attribute to make it easier in ADUC to pick a UPN value?
RE: [ActiveDir] Do I really need to add UPNs?
Poor excuse, you learn better when people are standing around ripping on you. Sort of like being thrown in the middle of the lake. Anyway, who says I won't be the one doing all the learning? We will expect to see you at the bar in the Hyatt Sunday, Monday, Tuesday, Wednesday. I'll be the one being propped up Guido,Robbie, and Gil. My boss will be there too and you can ask how in the world he can put up with me. - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Friday, March 19, 2004 9:42 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? I'm onlyan hour and a halfaway, but I came to the conclusion that I wasn't ready to be in the same place with all you real experts. :-P Performance anxiety, you know. :-P -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of joeSent: Friday, March 19, 2004 9:22 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Ah, see I may be getting old but I can kind of remember. :o) Thanks for the assist Guido. You have earned one crappy American Beer when you get here. Heck you may already be on the way. :o) - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Friday, March 19, 2004 3:32 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Adding the UPN suffixes to the list of alternate UPNs will enable configuration of TLN restrictions (Top-Level Name restrictions) for forest trusts (i.e. transitive trust between two 2003 forests). The UI lists the available UPN suffixes of the trusted forest incl. the stored alternate UPNs and allows you to configure which ones you allow to be used "accross the trust" for authentication. This is a must, if your UPN isn't a subordinate of the top level name of your root (e.g. TLN of root = "mycompany.net", but your alternative UPN suffix is "othercompany.net"). Alternative UPNs which are subordinates (e.g. "otherOrg.mycompany.net") can be added manually within the wizard by adding exceptions for your existing root-UPN suffix. /Guido From: joe [mailto:[EMAIL PROTECTED] Sent: Freitag, 19. März 2004 01:10To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Do I really need to add UPNs? Crap I knew the answer to this at one point... I must have reached the end of my event log and am now overwriting... It is for the GUI but there is something else that looks at that and if it isn't populated it doesn't know to take that UPN Suffix into account I want to say it has something to with Forest Trusts but I could be way out in left field. Basically *something* looks at the possible UPN Suffixes and that is all that will be allowed for this or that. Sorry to be so vague but I can't recall what *it* is. If I recall I will come back and post but I did want to get something up here to say I had seen *something* at one point concerning this. Maybe Eric or Guido or Dean has something they can think of really quick... - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Thursday, March 18, 2004 5:03 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Do I really need to add UPNs? Using the GUI, I can add a new UPN by opening "AD Domains and Trusts", right clicking on the top item in the left pane and selecting properties. If I want to addit via script, I use Robbie's recipe 6.32. But I can create all the users I want programmaticallywith any UPN I want without putting that UPN into the uPNSuffixes attribute. Is the only purpose for this attribute to make it easier in ADUC to pick a UPN value?
Re: [ActiveDir] Do I really need to add UPNs?
Gui admin is precisely the point. It serves no other purpose. On Mar 18, 2004, at 5:02 PM, Michael B. Smith wrote: Using the GUI, I can add a new UPN by opening AD Domains and Trusts, right clicking on the top item in the left pane and selecting properties. If I want to add it via script, I use Robbie's recipe 6.32. But I can create all the users I want programmatically with any UPN I want without putting that UPN into the uPNSuffixes attribute. Is the only purpose for this attribute to make it easier in ADUC to pick a UPN value? Brent Westmoreland BMW Group - Data Center Americas Business: 864.989.6567
RE: [ActiveDir] Do I really need to add UPNs?
Crap I knew the answer to this at one point... I must have reached the end of my event log and am now overwriting... It is for the GUI but there is something else that looks at that and if it isn't populated it doesn't know to take that UPN Suffix into account I want to say it has something to with Forest Trusts but I could be way out in left field. Basically *something* looks at the possible UPN Suffixes and that is all that will be allowed for this or that. Sorry to be so vague but I can't recall what *it* is. If I recall I will come back and post but I did want to get something up here to say I had seen *something* at one point concerning this. Maybe Eric or Guido or Dean has something they can think of really quick... - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Thursday, March 18, 2004 5:03 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Do I really need to add UPNs? Using the GUI, I can add a new UPN by opening "AD Domains and Trusts", right clicking on the top item in the left pane and selecting properties. If I want to addit via script, I use Robbie's recipe 6.32. But I can create all the users I want programmaticallywith any UPN I want without putting that UPN into the uPNSuffixes attribute. Is the only purpose for this attribute to make it easier in ADUC to pick a UPN value?
