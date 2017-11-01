Three times a week (Monday/Wednesday/Friday), John Savill tackles your most pressing IT questions.

In this group of FAQs we continue exploration of the UPNs in AD and moving all FSMO roles.

Q. How can I add a new UPN suffix using PowerShell?

A. To add a new UPN suffix to the AD forest using PowerShell use the following:

Set-ADForest -UPNSuffixes @{Add="us.savilltech.com"}

To view the UPN suffixes use:

Get-ADForest | Select-Object -Property Name, UPNSuffixes

Q. Can two users in the same forest have the same UPN?

A. There is can you and should you. AD Users and Computers will block having users with the same UPN as the UPN should be unique across the forest (and between any trusted domains) however with PowerShell you could set a duplicate UPN however this would result in a lot of problems. AD will protect against collisions and access across the domains would be blocked and the users with duplicate UPNs would be unable to logon using the UPN.

Q. How can I easily move all FSMO roles to a single DC?

A. Using Move-ADDirectoryServerOperationMasterRole you can move FSMO roles to a target DC. There is a numeric ID for each role so to move all roles you can use:

Move-ADDirectoryServerOperationMasterRole -Identity "<target DC>" -OperationMasterRole 0,1,2,3,4

If you needed to seize the roles then add -Force to the end of the command.