A user in a trusted Windows Server 2003 forest cannot use a UPN to log on to a trusting Windows Server 2003 forest when UPN suffixes are not DNS-compliant

Support for Windows Server 2003 ended on July 14, 2015

Microsoft ended support for Windows Server 2003 on July 14, 2015. This change has affected your software updates and security options. Learn what this means for you and how to stay protected.

This article has been archived. It is offered "as is" and will no longer be updated.
SYMPTOMS
Consider the following scenario. A Windows Server 2003 forest trusts another Windows Server 2003 forest. However, a user in the trusted forest cannot use a user principal name (UPN) to log on to the trusting forest.

This problem may occur if a UPN suffix that is created in the "Active Directory Domain and Trusts" Microsoft Management Console (MMC) snap-in is not a DNS-compliant name. Typical UPN suffixes that are not DNS-compliant include, but are not limited to, the following:
  • Names that consist completely of numeric characters
  • Names that contain non-ANSI characters
For example, assume that forest B trusts forest A. User A in forest A has a UPN of userA@12345. User B in forest A has a UPN of userB@example.com. In this situation, user B can log on to forest B. However, user A cannot log on to forest B.
CAUSE
This problem occurs when UPN suffixes that are not DNS-compliant are not routed across a forest trust.
RESOLUTION
To enable users to log on to the trusting forest, change the UPN suffixes so that they are DNS-compliant.

To prevent UPN suffixes that are not DNS-compliant from being created, you can change the UPN suffixes in the "Active Directory Domain and Trusts" MMC snap-in. Make sure that all the specified UPN suffixes are DNS-compliant.
STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
UPN Suffix Routing Forest Trust numeric-only
Properties

Article ID: 942223 - Last Review: 01/15/2015 08:53:36 - Revision: 1.2

  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Standard x64 Edition
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows Server 2003, Datacenter x64 Edition
  • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
  • kbnosurvey kbarchive kbexpertiseinter kbtshoot kbprb KB942223
Feedback