MORE INFORMATION

A UPN is composed of a user account logon name and the UPN suffix joined by the at sign (@). It allows for a simplified logon and is most commonly the user's e-mail address.

Active Directory itself does not enforce uniqueness of a UPN. The process that creates or modifies the UPN is responsible to check for uniqueness (this is done by querying the global catalog).

Active Directory is a multi-master environment with loose consistency. This means that each domain controller contains its own view of the directory, which it can modify. These views are then consolidated through the replication process. In an environment with multiple global catalog servers, there is a normal replication delay. The UPN may be unique for the local global catalog server that was queried at the time of modification, but after replication is finished, changes from another domain controller may cause the same UPN value to be present on different objects.

Additionally, because each domain controller can make modifications, there is no authority for implementing a global locking mechanism. Searching for an existing UPN and writing a UPN to the directory are separate tasks. Without a locking mechanism, it is possible for queries and write operations to the directory to overlap.

The following example shows how a UPN can be set for two users, which can result in duplication:

1. Process1 queries for UPN JSmith@domain.com.
2. Process2 queries for UPN JSmith@domain.com.
3. Process1 writes a UPN for John Smith as JSmith@domain.com.
4. Process2 writes a UPN for Jane Smith as JSmith@domain.com.

Both queries indicate there is no UPN with the value of JSmith@domain.com. However, after the write operations are finished, both users have the same UPN.