Assume that you add a user principal name (UPN) suffix by using Active Directory Domains and Trusts on a domain controller that is running Microsoft Windows Server 2012 R2 in a Microsoft Exchange Server 2013 environment. When you check the UPN by using Exchange Admin Center (EAC) or by running the Get-UserPrincipalNamesSuffix cmdlet in Exchange Management Shell (EMS), the added UPN suffix is not displayed.
This issue occurs because the Exchange Trusted Subsystem security group does not have permissions to read the "CN=Partitions,CN=Configuration,DC=YourDomain,DC=YourRootDomain" entry.
To work around this issue, follow these steps to add the Read permission to the Exchange Trusted Subsystem security group:
- Start the Active Directory Service Interfaces (ADSI) Edit tool.
- On the Action menu, click Connect to.
- In the Connection Point area, click Select a well known Naming Context, and then click Configuration in the list.
- In the Computer area, click Select or type a domain or Server, and then type the fully qualified domain name (FQDN) of the server in the box. Or, click Default (Domain or Server that you logged in to) if it is suitable for your circumstances. Then, click OK.
- Expand CN=Configuration,DC=YourDomain,DC=YourRootDomain.
- Right-click CN=Partitions, and then click Properties.
- On the Security tab, add Exchange Trusted Subsystem, click OK.
- Select the Read permission for the Exchange Trusted Subsystem security group, and then click OK.
- Exit the tool.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
For more information about how to add UPN suffixes by using Active Directory Domains and Trusts, go to the following Microsoft website:Get-UserPrincipalNamesSuffix cmdlet, go to the following Microsoft website: