FAQs: Exploring UPNs in AD and Moving FSMO Roles

John Savill

November 1, 2017

1 Min Read
John Savills Frequently Asked Questions on IT Pro: Windows

Three times a week (Monday/Wednesday/Friday), John Savill tackles your most pressing IT questions.

Read through the FAQ archives, or send him your questions via email.

In this group of FAQs we continue exploration of the UPNs in AD and moving all FSMO roles.

----------

Q. How can I add a new UPN suffix using PowerShell?
Dept - Active Directory

A. To add a new UPN suffix to the AD forest using PowerShell use the following:

Set-ADForest -UPNSuffixes @{Add="us.savilltech.com"}

To view the UPN suffixes use:

Get-ADForest | Select-Object -Property Name, UPNSuffixes

Q. Can two users in the same forest have the same UPN?
Dept - Active Directory

A. There is can you and should you. AD Users and Computers will block having users with the same UPN as the UPN should be unique across the forest (and between any trusted domains) however with PowerShell you could set a duplicate UPN however this would result in a lot of problems. AD will protect against collisions and access across the domains would be blocked and the users with duplicate UPNs would be unable to logon using the UPN.

Q. How can I easily move all FSMO roles to a single DC?
Dept - Active Directory

A. Using Move-ADDirectoryServerOperationMasterRole you can move FSMO roles to a target DC. There is a numeric ID for each role so to move all roles you can use:

Move-ADDirectoryServerOperationMasterRole -Identity "" -OperationMasterRole 0,1,2,3,4

If you needed to seize the roles then add -Force to the end of the command.

About the Author

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like