UPN suffix isn't displayed in EAC or EMS in an Exchange Server 2013 environment

Original KB number:  2909303

Symptoms

Assume that you add a user principal name (UPN) suffix by using Active Directory Domains and Trusts on a domain controller that's running Microsoft Windows Server 2012 R2 in a Microsoft Exchange Server 2013 environment. When you check the UPN by using Exchange Admin Center (EAC) or by running the Get-UserPrincipalNamesSuffix cmdlet in Exchange Management Shell (EMS), the added UPN suffix isn't displayed.

Cause

This issue occurs because the Exchange Trusted Subsystem security group doesn't have permissions to read the CN=Partitions,CN=Configuration,DC= YourDomain,DC= YourRootDomain entry.

Workaround

To work around this issue, follow these steps to add the Read permission to the Exchange Trusted Subsystem security group:

  1. Start the Active Directory Service Interfaces (ADSI) Edit tool.
  2. On the Action menu, click Connect to.
  3. In the Connection Point area, click Select a well known Naming Context, and then click Configuration in the list.
  4. In the Computer area, click Select or type a domain or Server, and then type the fully qualified domain name (FQDN) of the server in the box. Or, click Default (Domain or Server that you logged in to) if it's suitable for your circumstances. Then, click OK.
  5. Expand CN=Configuration,DC=YourDomain,DC=YourRootDomain.
  6. Right-click CN=Partitions, and then click Properties.
  7. On the Security tab, add Exchange Trusted Subsystem, click OK.
  8. Select the Read permission for the Exchange Trusted Subsystem security group, and then click OK.
  9. Exit the tool.

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More information

For more information about how to add UPN suffixes by using Active Directory Domains and Trusts, see How to add UPN suffixes.

For more information about the Get-UserPrincipalNamesSuffix cmdlet, see General information about the Get-UserPrincipalNamesSuffix cmdlet.

For more information about the ADSI Edit tool, see ADSI Edit.