Avatar of Ian Gooding
Ian Gooding
Flag for United Kingdom of Great Britain and Northern Ireland asked on

Should userPrincipalName in Active Directory match external email domain or the internal AD domain

I've got an active directory domain (2008 level) which predates our email moving to Exchange, so the domain names are different. The AD one is a ".local" created in the days before the best practice was to match external domain names. This means that email addresses (using our external domain) differ from internal identifiers. We now have an on-premise Exchange 2016 server. I've implemented autodiscover which was fine before Outlook 2016 came along as we could always specify the domain name in setting up. Now with Outlook 2016 the option to set this are so hard to discover that I decided to find out why I couldn't login to Outlook with just the external facing email address. It seems to work with setting up Outlook inside the domain, but I've got some external email users who don't have this option.

After much investigation, I found that the AD field userPrincipalName is set to user@internal.local instead of user@external.com and that this governs whether you can login with the external email address on OWA. Here's the link that gave me the clue: https://social.technet.microsoft.com/Forums/en-US/15eef306-69b5-4008-904e-50e0116c223f/setup-outlook-anywhere-to-not-ask-for-domainusername-just-email-address-only?forum=exchange2010

So if I reset the field in the user's record in AD to the external email domain, I can then login with just the email address, and set up new Outlook 2016 profiles again with just the email address. So far this seems to work.

The question is whether this is good practice, or whether I should change my AD to use the external domain name, or some combination perhaps involving having both internal and external domains defined. Are there any gotchas if I simply change the userPrincipalName to match the email address in all cases?

I'm intending to migrate some of our mailboxes to Office 365 in the next month or two, so it would be good if there's a best practice to make this migration easier.
ExchangeOutlookActive Directory

Avatar of undefined
Last Comment
Ian Gooding

8/22/2022 - Mon
timgreen7077

No the the UPN doesn't need to match the external email address domain. They can be completely different, but it does make it easier to deal with at times. Also if you plan on setting up a hybrid environment in order to migrate to o365, you will need to remove the .local from the proxy email addresses on the user mailboxes. O365 doesn't allow the .local suffix. You don't have to remove .local from your domain but it can't be a proxy address on the mailbox.
ASKER CERTIFIED SOLUTION
timgreen7077

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Ian Gooding

ASKER
Thanks, that's just what I needed to give me confidence. I'm trying it out with a few users and will then build a script to update everyone else.
timgreen7077

I would always use test accounts first before making any changes to production users, but you should be good.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
Ian Gooding

ASKER
So would I! I tried it first with a test account, which connects fine with OWA and mobile Outlook, so have changed my own AD profile. As I'm probably the most complex user setup this ought to reveal any hidden side effects...