Prepare Active Directory for Azure AD Connect

Plan for non-routable domain names

Your browser does not support video. Install Microsoft Silverlight, Adobe Flash Player, or Internet Explorer 9.

Develop your talent with more than 10,000 online courses from LinkedIn Learning

In this lesson, we'll look at using non-routable domain names and actually planning for the use of non-routable domain names when you are doing a sync between Active Directory and Office 365. So before you perform the sync between objects in your on-premises Active Directory environment and your Azure Active Directory, which supports Office 365, we need to make sure that all the user account objects in the onsite Active Directory are configured to use a UPN suffix, a user principal name suffix that will work in both environments.

So what we're talking about here is the ability to publicly route those objects. If you have an internal Active Directory domain that is publicly routable this isn't going to be a problem. So that's what we're again taking a look at here. So let me give you an example of what would be okay to use and not have to worry about versus what would be non-routable and what we do have to mitigate for and that's of course what we are talking about here in this lesson. So if you have an internal domain, if your users log on and they log on to or or or I should say, all of those domains are publicly routable.

You know what else is publicly routable? Any name that you choose, so when you provision your tenant if you recall back to that first course on provisioning your Office 365 tenant. When we picked out our domain name, we picked out a domain name that was unique within the domain of, and the reason why we did that is because is a publicly routable domain, so anything we choose that hasn't been already taken can be publicly routed, and you can access Office 365 services that are hosted on the cloud.

Now what's a non-routable domain? Some examples would be microsoft.local, linkedin.private, beanlakellc.hq, so you should recognize that I can't go to a web browser for example and type microsoft.local and get to a resource. I can do and get to the web resource that's at, but I can't get to microsoft.local. I can't get to linkedin.private nor beanlakellc.hq. Now, those may be the domains that your internal users log into because those don't have to be routed through the public DNS.

They can be be routed locally in a private implementation of DNS that supports your on-premises Active Directory. So that's the situation that we are mitigating here. How do we get these two things, a public domain and a private domain to agree and talk to one another so that they can sync their objects between the on-premises Active Directory and your Office 365 environment. When this is the case, you will need to add a UPN suffix that is publicly routable so that your Active Directory, when it's on site, is properly configured, and you need to do this prior to your initial synchronization.

So when we do this, we will have a couple of options, and I'll show you some of those options here in just a second or a couple of steps to go through. One is that you will add a UPN suffix to your Active Directory environment using Active Directory domains and trusts. You will add another option that your user accounts can use when they are logging on to the Active Directory domain. Then, you can change the UPN suffix that those accounts use using the tool Active Directory users and groups.

Now the other tool that you can use is you can use PowerShell to make bulk modifications because in a production domain, you're typically going to have several, maybe hundreds, maybe thousands of users to update their UPN suffixes all at once, and so probably you're going to want to gravitate towards the use of PowerShell in a real production environment, so again, let me show you a little bit of what's involved in this process. Now I've got an Active Directory environment installed here, and on a virtual machine, I've got Windows Server 2012.

This computer is configured as a domain controller, and I've got Server Manager running on this computer. It's just an application, and it's just kind of a dashboard into lots of other management tools of the server. So I'm going to click on tools and start with looking at the current UPN environment. I'm going to load up Active Directory Domains and Trusts. And then from the top-level node here, I'll just give it a right click and choose Properties, and right here I see the UPN suffixes that are used, and you can see that I have added this one, landonhotels.local.

Now I can add as many as I want to here if I want to. I could add something like, so in a production environment when you're really doing this what you'll want to do is add the UPN suffix that matches the publicly routable domain that you might be using with your Office 365 environment. So once that's done, you can click on add and then click on apply and close that and close this if you want to or just minimize it.

Now the other tool that we need to take a look at here to show you where this UPN fits in is Active Directory Users and Computers, so I'll give it a click here and what this does is it lists out all of my users and my groups and my computers that are used in this Active Directory environment. So here's my domain. Here's an organizational unit, and then I've got this list of users that have already been configured in this environment.

This one, if I look at the properties, I can look at the Account properties and look at the user logon name. Now here's where you will set the UPN name for a particular user, so there's the logon name and here's the place where they logon to and here's the dropdown where I can set a different UPN than the default. So most users in this environment. I created Edgar Poe, but let's just take a look at Dennis here, and if I double click, I can also get to the properties.

The user logon name here is dnickelback, and then his UPN name is that combined with the logon domain, Here's again where I can change. So this might be publicly routable, but your production environment especially if it's been around for several years, it may not be routable. It may be using something like landonhotels.local as the UPN, so you want to configure it so that it uses something that is publicly routable, and that's how those two things are tied together.

Now if I look at the Properties of this guy here, I should be able to change it to something publicly routable. Now before we wrap things up here in this lesson, I also want to point out that you can use Windows PowerShell to accomplish the same thing. I showed you how to access the Properties dialogue box of an individual user to change the UPN, but of course, there's a way to script this out and to do this from the command line using PowerShell.

The tools you'll use, the commandlets will be these. Get ADUser, and then you can filter. You could look for user principal names that only use landonhotels.local for example, or whatever is the case in your environment, and then you can pipe it if you want to into a ForEach statement, so ForEach, you will then set a new UPN, and then you can use the commandlet Set ADUser to make that happen.

So I've condensed this a little bit from a full example of what the PowerShell syntax would look like. Some other resources here for you. You can also use this command as well, which is Set-MsolUserPrincipalName that will allow you to also configure the UPN suffix for a user. For a full reference on this and to get some examples of the exact PowerShell syntax and how it would be practical used where you can just go in, cut and paste, and then replace the example domain with the domain that you want to change for your user principal names, I recommend that you search non-routable domain PowerShell.

What you're looking for is this resource right here. It's a support article about how to prepare a non-routable domain. At the very bottom of that article, which I've pulled up here, in Microsoft Edge. At the bottom of this article about how to prepare a non-routable domain for directory synchronization, here is some syntax, and again, there isn't one exact right way. There's lots of possible variations on this that you could use, but again, here are the main features of the PowerShell commands you'll use.

Get ADUser, and then you know, here it is piped into a statement. Replace that with that in this example here and then piped into the command Set ADUser, and then, you're using that variable, which is set right there, so at any rate, that's the PowerShell syntax that you might use to do this in bulk.

LinkedIn Learning

LinkedIn Learning is an online learning platform that combines industry-leading content from with LinkedIn’s professional network of more than 500 million member profiles to provide highly personalized course recommendations and a more intuitive learning experience. Learn more.


  • Learn from recognized industry experts, and get the business, tech, and creative skills that are most in demand.

  • Receive personal recommendations based on your LinkedIn profile.

  • Stream courses from your computer or mobile device.

  • Take courses for every level – beginner to advanced.

  • Practice while you learn with quizzes, exercise files, and coding windows.

  • Provide learning for your team or entire organization, with an easy to use experience for managing users, curating content and measuring engagement

For businesses with 150+ licenses Request Office 365 onboarding assistance from FastTrack

You can request remote and personalized assistance with onboarding. Our FastTrack engineers will help you plan your Office 365 project, assess your technical environment, provide remediation guidance, and provide user adoption assistance. For businesses with at least 500 licenses, Microsoft also provides personalized assistance to migrate data to Office 365.

See the FastTrack Center Video:

Get started today:

Tip: Businesses with 1-149 licenses still have access to FastTrack guidance via links in the Admin Center and also available at

Network and system admins can prepare on-premises directories and connect to Azure to take advantage of managing Office 365 groups and users using common identities. Preparation, setup, and administration steps are demonstrated in this course using the Azure Active Directory (AAD) Connect tool. This course is designed to provide you with a better understanding of domain controllers, identity management, synchronization, and more. This course is also an exam preparation resource with topics that map to a corresponding domain in the Office 365 70-346 exam: Managing Office 365 Identities and Requirements.

Topics include:

  • Active Directory Connect and Office 365

  • Planning for non-routable domain names

  • Cleaning up Active Directory objects

  • Using the IDFix tool

  • Filtering Active Directory

  • Using AAD install

  • Synchronizing passwords and attributes

  • Creating and managing users and groups

  • Scheduling and forcing AD synchronization

Connect with an expert
Contact us
Expand your skills
Explore training

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.