actually I had to think some more about what I had posted -
I believe the "officially" added UPNs are also stored in the respective TDO
object of the trusting domain, which replicates to all the GCs of the own
domain. This is how a DC in the trusting forest will know where
to pass on the request if you logon to a workstation in the trusting
forest with a UPN defined in the trusted forest. In addition
- as mentioned before - you'll only be able to perform restrictions on these UPN
suffixes when added to the upnSuffixes attribute.
So I guess when you're using forest trusts and you do want
to allow the "other" (not the implicit) UPNs for logon in the trusting forest,
you'll have to add them to the attribute.
But I guess I still earned the beer ;-) Won't I be on
my way until another 6 hours.
Cheers,
Guido
From: joe [mailto:[EMAIL PROTECTED]
Sent: Samstag, 20. M�rz 2004 03:22
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Do I really need to add UPNs?
Ah, see I may be getting old but I can kind of remember.
:o)
Thanks for the assist Guido. You have earned one crappy
American Beer when you get here. Heck you may already be on the way.
:o)
-------------
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1)
Sent: Friday, March 19, 2004 3:32 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Do I really need to add UPNs?
Adding the UPN suffixes to the list of alternate UPNs will
enable configuration of TLN restrictions (Top-Level Name restrictions) for
forest trusts (i.e. transitive trust between two 2003 forests). The UI lists the
available UPN suffixes of the trusted forest incl. the stored alternate UPNs
and allows you to configure which ones you allow to be used "accross the
trust" for authentication. This is a must, if your UPN isn't a subordinate
of the top level name of your root (e.g. TLN of root = "mycompany.net", but your
alternative UPN suffix is "othercompany.net").
Alternative UPNs which are subordinates (e.g.
"otherOrg.mycompany.net") can be added manually within the wizard by adding
exceptions for your existing root-UPN suffix.
/Guido
From: joe [mailto:[EMAIL PROTECTED]
Sent: Freitag, 19. M�rz 2004 01:10
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Do I really need to add UPNs?
Crap I knew the answer to this at one point... I must have
reached the end of my event log and am now overwriting...
It is for the GUI but there is something else that looks at
that and if it isn't populated it doesn't know to take that UPN Suffix into
account.... I want to say it has something to with Forest Trusts but I could be
way out in left field. Basically *something* looks at the possible UPN Suffixes
and that is all that will be allowed for this or that. Sorry to be so vague but
I can't recall what *it* is. If I recall I will come back and post but I did
want to get something up here to say I had seen *something* at one point
concerning this. Maybe Eric or Guido or Dean has something they can think of
really quick...
-------------
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Thursday, March 18, 2004 5:03 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Do I really need to add UPNs?
Using the GUI, I can
add a new UPN by opening "AD Domains and Trusts", right clicking on the top item
in the left pane and selecting properties. If I want to add it via script,
I use Robbie's recipe 6.32.
But I can create all
the users I want programmatically with any UPN I want without putting that
UPN into the uPNSuffixes attribute.
Is the only purpose
for this attribute to make it easier in ADU&C to pick a UPN
value?
