Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Unable to Change Password with User Principal Name When a Global Catalog Server Is Unavailable


View products that this article applies to.

This article was previously published under Q256287

↑ Back to the top


Symptoms

When you attempt to change your password by using your user principal name (youraccount@yourcompany.com), you may receive one of the following error messages.

If the account is in the parent domain:
The user name or old password is incorrect. Letters in passwords must be typed using the correct case. Make sure the Caps is not accidentally on.
If the account is in a child domain:
Unable to change the password on this account due to the following error:

1359 : An internal error occurred
Please consult your system administrator.
Attempting to change the password with your "pre-Windows" account name (also known as the down-level or SAM account name) works correctly.

↑ Back to the top


Cause

This behavior can occur if the global catalog (GC) server could not be contacted.

↑ Back to the top


Resolution

Confirm that your validating domain controller has access to a GC server. To check this, first find out which domain controller authenticated you. You can use the Winmsd tool or check the LOGONSERVER environment variable by typing the following command at a command prompt:
echo %logonserver%
Next, check the Event log under Directory Service. You may see the following error message:
Event 1126 Unable to establish connect with global catalog
This issue affects only users whose user principal name (UPN) and down-level account name do not match. If the userPrincipalName attribute is not found, samAccountName@domain.name is used.

Note also that a GC server is required for logon in all cases, except when there is only a single domain, the child domain is in Mixed mode, or the user is the administrator. However, it is not recommended to operate without a Global Catalog server as there are some services and applications that require a GC to function, for example, Windows Address Book and Exchange 2000. WAB can be configured to point to the AD's LDAP port of 389 but defaults to the GC port 3268.

↑ Back to the top


Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

↑ Back to the top


More information

You can configure a UPN to specify a different domain than the name of the domain in which the account resides. For example, you can configure an account in the child domain (user@child.parent.com) to log on with only the parent domain name (user@parent.com). This does not move the account, but provides a simplified logon for the users in child domains. Because the real domain of the account cannot be determined by using the domain listed, the GC server must be consulted to determine in which domain the account resides. If the GC cannot be contacted, an error message is displayed.

↑ Back to the top


Keywords: kbenv, kberrmsg, kbglobalcatalog, kbprb, KB256287

↑ Back to the top

Article Info
Article ID : 256287
Revision : 10
Created on : 2/28/2007
Published on : 2/28/2007
Exists online : False
Views : 617