Tuesday, February 7, 2012

DirSync: Preparing all UPN's required or not?

Everyone who implemented a hybrid office 365 Exchange Online configuration probably have read the deployment guide for Office 365.

In that guide you will read that you need to make some preparations to your Active Directory.

One of these preparations is making sure the UPN of all users is properly set to a routable domainname. For most organizations however this could be a real challenge. In the beginning of Active Directory (somewhere in the early 21st century), it was a recommendation by Microsoft to create a FQDN that was not the same as your public domain name (non-routable). However things changed over the years and last year Office 365 came out.

To setup DirSync for synchronization of your Active Directory objects, it requires you to create a UPN for all users that is internet routable. That means that the UPN must be set to @publicdomainname.

In some organizations this is a challenge because the user part of the UPN is, over the years, incorrectly administrated or is changed often due to marriages or divorces. And because the UPN will be used to login to Exchange online, you probably want this to be set correctly. What however is unclear in the documentation, is what will happen if you don't set the correct UPN before configuring DirSync.

From my personal experience. In first case. I still would recommend to set the UPN of all users before configuring DirSync. However if you are in a situation that requires you to proceed because the customer is not ready yet, it is possible to set the UPN later and configure DirSync.

Please be advised that if you do this DirSync will create errors during the sync. These errors will be written to the eventlog of the DirSync server. Besides that DirSync tries to synchronise every 3 hours. After the sync, DirSync e-mails all Administrators a summary report of the sync. In this report you will see the errors too.

If you setup DirSync without a proper UPN, DirSync will synchronize all AD objects and creates a "@name.onmicrosoft.com" UPN.

If you don't want to have errors during the syncs you can also choose to only configure the domain part of the UPN and change the user part later. This will result in a successful sync without any noticeable errors.

I have created a script that prepares the UPN of all user objects with a proper domain.


UPN Change Script (PS_CRI_ChangeUPN_v0.1.ps1)


Author: Cor (C.J.H.) Reinhard

Copyright: 2012, Unauthorized use from author prohibited


Version: 1.0 - Final

Create date: 31-01-2012

Last modification date: 31-01-2012


Notes:      Make sure script execution is set to unrestricted by running "Set-ExecutionPolicy -ExecutionPolicy unrestricted -Force"

Make sure to run this script from within the Exchange Server 2010 Management Shell


Change history:

31-01-2012: First and final version, v1.0



$odom = "<current domain FQDN of users>"

$ndom = "<public/new domain FQDN of users>"


$usr = Get-user


function Change-UPN {

ForEach ($upn in $usr){

if ($upn.UserPrincipalName.Contains($odom) -eq $true){

Write-Host "Current user" $upn.Name "has UPN" $upn.userprincipalname

$newupn = $upn.UserPrincipalName.Replace($odom,$ndom)

set-user $upn -UserPrincipalName $newupn

Write-Host "UPN" $newupn "set for" $upn.Name -ForegroundColor Green






After your customer or organization has made up their decision in which UPN they will use, you can change the UPN by following my previous post "Change the UPN of a federated user after user has been synced to Office 365"

Good luck and enjoy!

No comments:

Post a Comment