2

Setting up a brand-new domain and want to achieve ActiveSync/Autodiscover Nirvana: no certificate warnings, no having to enter in Server Names or Domains, just pure Contoso-like buttery bliss.

Have ad.mycompany.com as the current default UPN suffix; from what I've been reading, in order to have iPhones get added with just email address and password, I need to add an alternative UPN suffix and set it for any new or current users.

Seems simple enough, but are there any downsides or pitfalls to setting up alternative UPN suffixes as the default? I'm assuming that both suffixes will be valid (ad.mycompany.com and mycompany.com) regardless of authentication method and device, but this is entering into the Dark Arts of AD that I'm not familiar with.

Community
  • 1
gravyface
  • 13,947
  • 16
  • 65
  • 100

1 Answers1

1

In general you will be fine. I'm not 100% sure if all possible UPNs work or just the configured suffix and the suffix matching the actual domain name of the domain, but both of those definitely will work for normal user logons (just tested on my domain). And that is the only possible pitfall. See: Why can a user log in via more than one UPN

Edit: Only the configured UPN and the implicit UPN will work (in addition to DOMAIN\user). So if you add more UPN suffixes in the future your users will still only have two options to logon: whichever one is configured for their account and the implicit one (unless they are the same in which case that's their only UPN option). I followed one of the links in the above link.

Community
  • 1
Todd Wilcox
  • 2,831
  • 2
  • 19
  • 31
  • By the way, you get a lot more than just iPhone configuration ease. Any ActiveSync device and Outlook/Outlook AnyWhere will also auto configure. And it's required for federation with Microsoft cloud services. And if you haven't seen it yet, you can test AutoDiscover and Outlook Anywhere here (best to use a test account you can disable): https://testconnectivity.microsoft.com – Todd Wilcox Mar 24 '15 at 02:32