A user in a trusted Windows Server 2003 forest cannot use a UPN to log on to a trusting Windows Server 2003 forest when UPN suffixes are not DNS-compliant

Consider the following scenario. A Windows Server 2003 forest trusts another Windows Server 2003 forest. However, a user in the trusted forest cannot use a user principal name (UPN) to log on to the trusting forest.

This problem may occur if a UPN suffix that is created in the "Active Directory Domain and Trusts" Microsoft Management Console (MMC) snap-in is not a DNS-compliant name. Typical UPN suffixes that are not DNS-compliant include, but are not limited to, the following:

�	Names that consist completely of numeric characters
�	Names that contain non-ANSI characters

For example, assume that forest B trusts forest A. User A in forest A has a UPN of userA@12345. User B in forest A has a UPN of userB@example.com. In this situation, user B can log on to forest B. However, user A cannot log on to forest B.

This problem occurs when UPN suffixes that are not DNS-compliant are not routed across a forest trust.

To enable users to log on to the trusting forest, change the UPN suffixes so that they are DNS-compliant.

To prevent UPN suffixes that are not DNS-compliant from being created, you can change the UPN suffixes in the "Active Directory Domain and Trusts" MMC snap-in. Make sure that all the specified UPN suffixes are DNS-compliant.

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.