Microsoft KB Archive/942223

= A user in a trusted Windows Server 2003 forest cannot use a UPN to log on to a trusting Windows Server 2003 forest when UPN suffixes are not DNS-compliant =

Article ID: 942223

Article Last Modified on 10/11/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard x64 Edition
 * Microsoft Windows Server 2003, Enterprise x64 Edition
 * Microsoft Windows Server 2003, Datacenter x64 Edition
 * Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
 * Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems

-



SYMPTOMS
Consider the following scenario. A Windows Server 2003 forest trusts another Windows Server 2003 forest. However, a user in the trusted forest cannot use a user principal name (UPN) to log on to the trusting forest.

This problem may occur if a UPN suffix that is created in the &quot;Active Directory Domain and Trusts&quot; Microsoft Management Console (MMC) snap-in is not a DNS-compliant name. Typical UPN suffixes that are not DNS-compliant include, but are not limited to, the following:
 * Names that consist completely of numeric characters
 * Names that contain non-ANSI characters

For example, assume that forest B trusts forest A. User A in forest A has a UPN of userA@12345. User B in forest A has a UPN of userB@example.com. In this situation, user B can log on to forest B. However, user A cannot log on to forest B.



CAUSE
This problem occurs when UPN suffixes that are not DNS-compliant are not routed across a forest trust.



RESOLUTION
To enable users to log on to the trusting forest, change the UPN suffixes so that they are DNS-compliant.

To prevent UPN suffixes that are not DNS-compliant from being created, you can change the UPN suffixes in the &quot;Active Directory Domain and Trusts&quot; MMC snap-in. Make sure that all the specified UPN suffixes are DNS-compliant.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.

Additional query words: UPN Suffix Routing Forest Trust numeric-only

Keywords: kbtshoot kbprb kbexpertiseinter KB942223

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.