John Savills Frequently Asked Questions on IT Pro: Windows

FAQs: Exploring UPNs in AD and Moving FSMO Roles

Three times a week (Monday/Wednesday/Friday), John Savill tackles your most pressing IT questions.

Read through the FAQ archives, or send him your questions via email.

In this group of FAQs we continue exploration of the UPNs in AD and moving all FSMO roles.

----------

Q. How can I add a new UPN suffix using PowerShell?
Dept - Active Directory

A. To add a new UPN suffix to the AD forest using PowerShell use the following:

Set-ADForest -UPNSuffixes @{Add="us.savilltech.com"}

To view the UPN suffixes use:

Get-ADForest | Select-Object -Property Name, UPNSuffixes

Q. Can two users in the same forest have the same UPN?
Dept - Active Directory

A. There is can you and should you. AD Users and Computers will block having users with the same UPN as the UPN should be unique across the forest (and between any trusted domains) however with PowerShell you could set a duplicate UPN however this would result in a lot of problems. AD will protect against collisions and access across the domains would be blocked and the users with duplicate UPNs would be unable to logon using the UPN.

Q. How can I easily move all FSMO roles to a single DC?
Dept - Active Directory

A. Using Move-ADDirectoryServerOperationMasterRole you can move FSMO roles to a target DC. There is a numeric ID for each role so to move all roles you can use:

Move-ADDirectoryServerOperationMasterRole -Identity "<target DC>" -OperationMasterRole 0,1,2,3,4

If you needed to seize the roles then add -Force to the end of the command.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish