Unable to Change Password with User Principal Name When a Global Catalog Server Is Unavailable (256287)
The information in this article applies to:
- Microsoft Windows Server 2003, Datacenter Edition
- Microsoft Windows Server 2003, Enterprise Edition
- Microsoft Windows XP Professional
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Advanced Server
This article was previously published under Q256287 SYMPTOMS When you attempt to change your password by using your user
principal name
( youraccount@ yourcompany.com),
you may receive one of the following error messages. If the account
is in the parent domain: The user name or old password
is incorrect. Letters in passwords must be typed using the correct case. Make
sure the Caps is not accidentally on. If the account is in a child
domain: Unable to change the password on this account
due to the following error:
1359 : An internal error occurred
Please consult your system administrator. Attempting to change the
password with your "pre-Windows" account name (also known as the down-level or
SAM account name) works correctly. CAUSE This behavior can occur if the global catalog (GC) server
could not be contacted. RESOLUTION Confirm that your validating domain controller has access
to a GC server. To check this, first find out which domain controller
authenticated you. You can use the Winmsd tool or check the LOGONSERVER
environment variable by typing the following command at a command prompt: Next, check the Event log under Directory Service. You may see
the following error message: Event 1126 Unable to
establish connect with global catalog This issue affects only users
whose user principal name (UPN) and down-level account name do not match. If
the userPrincipalName attribute is not found, samAccountName@domain.name is used.
Note also that a GC server is required for logon in all cases,
except when there is only a single domain, the child domain is in Mixed mode,
or the user is the administrator. However, it is not recommended to operate
without a Global Catalog server as there are some services and applications
that require a GC to function, for example, Windows Address Book and Exchange
2000. WAB can be configured to point to the AD's LDAP port of 389 but defaults
to the GC port 3268. STATUSMicrosoft
has confirmed that this is a problem in the Microsoft products that are listed
at the beginning of this article.
MORE INFORMATION You can configure a UPN to specify a different domain than
the name of the domain in which the account resides. For example, you can
configure an account in the child domain
(user@child.parent.com)
to log on with only the parent domain name
(user@parent.com). This
does not move the account, but provides a simplified logon for the users in
child domains. Because the real domain of the account cannot be determined by
using the domain listed, the GC server must be consulted to determine in which
domain the account resides. If the GC cannot be contacted, an error message is
displayed.
| Modification Type: | Major | Last Reviewed: | 3/26/2004 |
|---|
| Keywords: | kbenv kberrmsg kbGlobalCatalog kbprb KB256287 |
|---|
|