This article has been archived. It is offered "as is" and will no longer be updated.
Consider the following scenario. A Windows Server 2003 forest trusts another Windows Server 2003 forest. However, a user in the trusted forest cannot use a user principal name (UPN) to log on to the trusting forest.
This problem may occur if a UPN suffix that is created in the "Active Directory Domain and Trusts" Microsoft Management Console (MMC) snap-in is not a DNS-compliant name. Typical UPN suffixes that are not DNS-compliant include, but are not limited to, the following:
Names that consist completely of numeric characters
Names that contain non-ANSI characters
For example, assume that forest B trusts forest A. User A in forest A has a UPN of userA@12345. User B in forest A has a UPN of userB@example.com. In this situation, user B can log on to forest B. However, user A cannot log on to forest B.
This problem occurs when UPN suffixes that are not DNS-compliant are not routed across a forest trust.
To enable users to log on to the trusting forest, change the UPN suffixes so that they are DNS-compliant.
To prevent UPN suffixes that are not DNS-compliant from being created, you can change the UPN suffixes in the "Active Directory Domain and Trusts" MMC snap-in. Make sure that all the specified UPN suffixes are DNS-compliant.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.