Registrations are now open. Join us today!
There is still a lot of work to do on the wiki yet! More information about editing can be found here.
Already have an account?

Microsoft KB Archive/251359

From BetaArchive Wiki

Article ID: 251359

Article Last Modified on 2/28/2007



APPLIES TO

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server



This article was previously published under Q251359

SYMPTOMS

Users may be unable to log on using their user principal names (UPNs) or duplicate UPNs may be displayed in the directory.

CAUSE

This behavior can occur if you use multiple processes to set UPNs or if you use a tool that does not query the global catalog. Because the UPN provides the ability to perform a single logon anywhere in the organization, the UPN must be unique across the entire Windows 2000 forest.

RESOLUTION

To resolve this issue, make sure that each UPN is unique across the organization.

MORE INFORMATION

A UPN is composed of a user account logon name and the UPN suffix joined by the at sign (@). It allows for a simplified logon and is most commonly the user's e-mail address.

Active Directory itself does not enforce uniqueness of a UPN. The process that creates or modifies the UPN is responsible to check for uniqueness (this is done by querying the global catalog).

Active Directory is a multi-master environment with loose consistency. This means that each domain controller contains its own view of the directory, which it can modify. These views are then consolidated through the replication process. In an environment with multiple global catalog servers, there is a normal replication delay. The UPN may be unique for the local global catalog server that was queried at the time of modification, but after replication is finished, changes from another domain controller may cause the same UPN value to be present on different objects.

Additionally, because each domain controller can make modifications, there is no authority for implementing a global locking mechanism. Searching for an existing UPN and writing a UPN to the directory are separate tasks. Without a locking mechanism, it is possible for queries and write operations to the directory to overlap.

The following example shows how a UPN can be set for two users, which can result in duplication:

  1. Process1 queries for UPN JSmith@domain.com.
  2. Process2 queries for UPN JSmith@domain.com.
  3. Process1 writes a UPN for John Smith as JSmith@domain.com.
  4. Process2 writes a UPN for Jane Smith as JSmith@domain.com.

Both queries indicate there is no UPN with the value of JSmith@domain.com. However, after the write operations are finished, both users have the same UPN.

REFERENCES

For additional information about Active Directory, refer to the following Microsoft Web site:

For additional information about programmatically querying the Global Catalog for a UPN, click the article number below to view the article in the Microsoft Knowledge Base:

252490 HOWTO: Use ADSI to query the Global Catalog for a UPN


Keywords: kbactivedirectoryrepl kbenv kbmsg kbprb KB251359