DOMAINAccount Names and User Principal Names

Prior to Windows 2000, all account names were of the form DOMAIN/Account—for example, EXAIR/Michael. This is also called the SAM account name. Although this form worked well, it did have two shortcomings:

• The user's logon name and e-mail name are different.
• Two organizations might have the same domain name, and hence there's a possibility of user names clashing if the two domains needed to talk to each other.

Windows 2000 introduces the notion of user principal names (UPNs), which follow the now-classic, well-understood e-mail address format of user@domain—for example, michael@exair.com.

By default, the UPN name of a user is username@DNSDomainName, where DNSDomainName (also called the UPN suffix) is the Domain Name System (DNS) name of the organization. However, the name is somewhat arbitrary and is configurable using the Active Directory Domains And Trusts tool, as shown in Figure 3-2.

Figure 3-2. Configuring different UPN suffixes in Active Directory.

Once you've set the UPN suffixes, you can set the UPNs for users. For example, Cheryl's account might be in the development.exair.com domain, but her UPN can be cheryl@web.development.exair.com. When Cheryl logs on to Windows 2000, she can log on as either DEVELOPMENT/Cheryl or cheryl@web.development.exair.com. The UPN name is configurable in Active Directory by editing the userPrincipalName attribute of the user's object or by using the User Logon Name option, as shown in Figure 3-3.

Figure 3-3. Setting a user's UPN in Active Directory.

Some applications, including SQL Server 2000, might not recognize UPN names—that's why Windows 2000 supports both DOMAIN/Account naming and UPN naming. We expect that this situation will be resolved as more developers port their applications to Windows 2000 and more users deploy solutions requiring UPNs.