Article ID: 256287 - Last Review: February 28, 2007 - Revision: 4.6

Unable to Change Password with User Principal Name When a Global Catalog Server Is Unavailable

View products that this article applies to.
System TipThis article applies to a different operating system than the one you are using. Article content that may not be relevant to you is disabled.
This article was previously published under Q256287
Expand all | Collapse all

SYMPTOMS

When you attempt to change your password by using your user principal name (youraccount@yourcompany.com), you may receive one of the following error messages.

If the account is in the parent domain:
The user name or old password is incorrect. Letters in passwords must be typed using the correct case. Make sure the Caps is not accidentally on.
If the account is in a child domain:
Unable to change the password on this account due to the following error:

1359 : An internal error occurred
Please consult your system administrator.
Attempting to change the password with your "pre-Windows" account name (also known as the down-level or SAM account name) works correctly.
Back to the top

CAUSE

This behavior can occur if the global catalog (GC) server could not be contacted.
Back to the top

RESOLUTION

Confirm that your validating domain controller has access to a GC server. To check this, first find out which domain controller authenticated you. You can use the Winmsd tool or check the LOGONSERVER environment variable by typing the following command at a command prompt:
echo %logonserver%
Next, check the Event log under Directory Service. You may see the following error message:
Event 1126 Unable to establish connect with global catalog
This issue affects only users whose user principal name (UPN) and down-level account name do not match. If the userPrincipalName attribute is not found, samAccountName@domain.name is used.

Note also that a GC server is required for logon in all cases, except when there is only a single domain, the child domain is in Mixed mode, or the user is the administrator. However, it is not recommended to operate without a Global Catalog server as there are some services and applications that require a GC to function, for example, Windows Address Book and Exchange 2000. WAB can be configured to point to the AD's LDAP port of 389 but defaults to the GC port 3268.
Back to the top

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.
Back to the top

MORE INFORMATION

You can configure a UPN to specify a different domain than the name of the domain in which the account resides. For example, you can configure an account in the child domain (user@child.parent.com) to log on with only the parent domain name (user@parent.com). This does not move the account, but provides a simplified logon for the users in child domains. Because the real domain of the account cannot be determined by using the domain listed, the GC server must be consulted to determine in which domain the account resides. If the GC cannot be contacted, an error message is displayed.
Back to the top
APPLIES TO
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows XP Professional
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Professional Edition
  • Microsoft Windows 2000 Advanced Server
Back to the top
Keywords: 
kbenv kberrmsg kbglobalcatalog kbprb KB256287
Back to the top