Microsoft KB Archive/256287

= Unable to Change Password with User Principal Name When a Global Catalog Server Is Unavailable =

Article ID: 256287

Article Last Modified on 2/28/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows XP Professional
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Advanced Server

-



This article was previously published under Q256287





SYMPTOMS
When you attempt to change your password by using your user principal name ( @ .com), you may receive one of the following error messages.

If the account is in the parent domain:

The user name or old password is incorrect. Letters in passwords must be typed using the correct case. Make sure the Caps is not accidentally on.

If the account is in a child domain:

Unable to change the password on this account due to the following error:

1359 : An internal error occurred

Please consult your system administrator.

Attempting to change the password with your "pre-Windows" account name (also known as the down-level or SAM account name) works correctly.



CAUSE
This behavior can occur if the global catalog (GC) server could not be contacted.



RESOLUTION
Confirm that your validating domain controller has access to a GC server. To check this, first find out which domain controller authenticated you. You can use the Winmsd tool or check the LOGONSERVER environment variable by typing the following command at a command prompt:

echo %logonserver%

Next, check the Event log under Directory Service. You may see the following error message:

Event 1126 Unable to establish connect with global catalog

This issue affects only users whose user principal name (UPN) and down-level account name do not match. If the userPrincipalName attribute is not found, samAccountName@domain.name is used.

Note also that a GC server is required for logon in all cases, except when there is only a single domain, the child domain is in Mixed mode, or the user is the administrator. However, it is not recommended to operate without a Global Catalog server as there are some services and applications that require a GC to function, for example, Windows Address Book and Exchange 2000. WAB can be configured to point to the AD's LDAP port of 389 but defaults to the GC port 3268.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.



MORE INFORMATION
You can configure a UPN to specify a different domain than the name of the domain in which the account resides. For example, you can configure an account in the child domain ( @ . .com) to log on with only the parent domain name ( @ .com). This does not move the account, but provides a simplified logon for the users in child domains. Because the real domain of the account cannot be determined by using the domain listed, the GC server must be consulted to determine in which domain the account resides. If the GC cannot be contacted, an error message is displayed.

Keywords: kbenv kberrmsg kbglobalcatalog kbprb KB256287

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.