Link to home
Start Free TrialLog in
Avatar of Ian Gooding
Ian GoodingFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Should userPrincipalName in Active Directory match external email domain or the internal AD domain

I've got an active directory domain (2008 level) which predates our email moving to Exchange, so the domain names are different. The AD one is a ".local" created in the days before the best practice was to match external domain names. This means that email addresses (using our external domain) differ from internal identifiers. We now have an on-premise Exchange 2016 server. I've implemented autodiscover which was fine before Outlook 2016 came along as we could always specify the domain name in setting up. Now with Outlook 2016 the option to set this are so hard to discover that I decided to find out why I couldn't login to Outlook with just the external facing email address. It seems to work with setting up Outlook inside the domain, but I've got some external email users who don't have this option.

After much investigation, I found that the AD field userPrincipalName is set to user@internal.local instead of and that this governs whether you can login with the external email address on OWA. Here's the link that gave me the clue:

So if I reset the field in the user's record in AD to the external email domain, I can then login with just the email address, and set up new Outlook 2016 profiles again with just the email address. So far this seems to work.

The question is whether this is good practice, or whether I should change my AD to use the external domain name, or some combination perhaps involving having both internal and external domains defined. Are there any gotchas if I simply change the userPrincipalName to match the email address in all cases?

I'm intending to migrate some of our mailboxes to Office 365 in the next month or two, so it would be good if there's a best practice to make this migration easier.
Avatar of timgreen7077

No the the UPN doesn't need to match the external email address domain. They can be completely different, but it does make it easier to deal with at times. Also if you plan on setting up a hybrid environment in order to migrate to o365, you will need to remove the .local from the proxy email addresses on the user mailboxes. O365 doesn't allow the .local suffix. You don't have to remove .local from your domain but it can't be a proxy address on the mailbox.
Avatar of timgreen7077

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Ian Gooding


Thanks, that's just what I needed to give me confidence. I'm trying it out with a few users and will then build a script to update everyone else.
I would always use test accounts first before making any changes to production users, but you should be good.
So would I! I tried it first with a test account, which connects fine with OWA and mobile Outlook, so have changed my own AD profile. As I'm probably the most complex user setup this ought to reveal any hidden side effects...