Is there an upper limit to the number of alternate UPN Suffixes that can be defined at the forest root of a Windows 2012 R2 native active directory? I read somewhere that Windows 2000 forest limit = 863, Windows 2003 forest limit = 1300. The reason for asking is I am looking into setting up a new forest for extranet authentication where logon will be email address (samAccountName does not accept "@")- The numbers I have are much higher than this. I have seen it is possible to setup UPN Suffixes on OUs as well as forest root level - not sure if that helps (extends the max perhaps)? If there is still a max number in 2012, is it still necessary to have UPN Suffixes defined. ie., can I script around it, or is it system mandatory? In this case, this is a single domain forest with no trusts.I am using windows exchanger server 2013.
2 Answers
Theoretically: ~3900, Practically: ~1200
(regardless of # of trusts)
The reason for that boils down to how UPN suffixes are stored, per forest, in the Active Directory data store.
UPN Suffixes are defined forest-wide, and are stored in the Configurations NC. You can see the list for yourself by retrieving the values of the uPNSuffixes attribute from CN=Partitions,CN=Configuration,DC=forestroot,DC=tld
Now, the uPNSuffixes attribute is a non-linked multivalued attribute, and the insightful TechNet article "How the Data Store works" has this to say about just this type of attribute:
Maximum Database Record Size
The maximum size of a database record is 8110 bytes, based on an 8-kilobyte (KB) page size. Because of variable overhead requirements and the variable number of attributes that an object might have, it is impossible to provide a precise limit for the maximum number of multivalues that an object can store in its attributes. For all practical purposes, the size of objects is not significant in Active Directory if you use the recommended guidelines described in "Static Data" later in this chapter.
The only value that can actually be computed is the maximum number of values in a nonlinked, multivalued attribute when the object has only one attribute (which is impossible). In Windows 2000 Active Directory, this number is computed at 1575 values. From this value, taking various overhead estimates into account and generalizing about the other values that the object might store, the practical limit for number of multivalues stored by an object is estimated at 800 nonlinked values per object across all attributes.
The practical limit of 800 nonlinked values per object is increased in Windows Server 2003 and later. When the forest has a functional level of Windows Server 2003 or higher, for a theoretical record that has only one attribute with the minimum of overhead, the maximum number of multivalues possible in one record is computed at 3937. Using similar estimates for overhead, a practical limit for nonlinked multivalues in one record is approximately 1200. These numbers are provided only to point out that the maximum size of an object is somewhat larger in Windows Server 2003 and later. (emphasis added)
I believe these are probably the values you've read about elsewhere. As the article indicates, this is not a hard limit, so you may find that you can add eg. 2000 UPN suffixes, and all of them work just fine
- 1
- 1
- 157,619
- 12
- 148
- 206
In your case, the upper limit shouldn't make any difference. You only need to pre-define all of the UPN suffixes if you're either a) dependent on the GUI tools to show the options or b) creating forest trusts.
If you simply need to store someone's email address as the sign-in credential in the userPrincipalName attribute, there's no need to prepopulate the uPNSuffixes attribute.
- 4,473
- 1
- 13
- 11