Lets say you have the following environment:
ExchangeResource.corp hosts all the Microsoft Exchange 2010 servers, and linked mailbox accounts. The actual user accounts are stored in the Tailspin.corp and Mantech.corp forests. The Tailspin.corp and Mantech.corp forests have a one way forest trust with ExchangeResource.corp so that users in the Tailspin.corp and Mantech.corp forests can access their linked mailboxes in the ExchangeResource.corp domain.
Now to make things easy on the users, you set the OWA directory to use UPN suffix names instead of Domain\user:
Everything works fine, but then you add a UPN suffix to each individual forest that makes the UPN suffix match the users email address. Below is an example shown with the user Tom Jones in the Tailspin forest:
A user goes to login with the new UPN and is greeted with an error message that they could not login:
But using the old UPN still works fine, so what’s going on?
Well, if we check the event logs of the DC in the ExchangeResource.corp domain we find EventID 6034 for LsaSrv in the security event log:
The DC is telling us that it does not know how to route the Tailspin.com suffix. It notes that it has been added to the forest tailspin.corp, as it learns it through the forest trust, but that the name suffix is not enabled. It does very nicely tell us how to fix this. Go to Active Directory Domains and Trusts->Right click on ExchangeResource.corp->Properties
Go to the Trusts tab. Here you will see all the forests that you have trusts with. Highlight the tailspin.corp forest and click on properties:
Navigate to the Name Suffix Routing tab:
Here we can see the new tailspin.com suffix has been added, it even has a status of “New”, but the Routing is disabled. Highlight the suffix and then click Enable:
If you do not see the new suffix you created listed here, simply click the Refresh button and it should appear.
After hitting apply both names should be enabled:
Now if a user try’s to login, they should be all set!
Keep in mind you will need to do this each time you add a new UPN Suffix to one of the domains that are being trusted by ExchangeResource.corp.