AD 2003 User login question

[Guest]

I have some users that cant log onto the AD 2003 domain with
(e-mail address removed). They have to use their prewindows2000 login name and
choose the AD domain from the drop down list. I also have a user that can
log onto the AD 2003 domain using their fully qualified login name but cant
change their password (The get a no domain server available error). BUT they
can change their password if they log into the domain using the pre
windows2000 login. This doesnt make sense at all. These computers have also
been added to the AD2003 domain. Anyone got any suggestions?

Thanks

 

[Jerold Schulman]

I have some users that cant log onto the AD 2003 domain with
(e-mail address removed). They have to use their prewindows2000 login name and
choose the AD domain from the drop down list. I also have a user that can
log onto the AD 2003 domain using their fully qualified login name but cant
change their password (The get a no domain server available error). BUT they
can change their password if they log into the domain using the pre
windows2000 login. This doesnt make sense at all. These computers have also
been added to the AD2003 domain. Anyone got any suggestions?

Thanks

http://support.microsoft.com?kbid=256287 Unable to Change Password with User Principal Name When a Global Catalog Server Is Unavailable

Jerold Schulman
Windows Server MVP
JSI, Inc.
http://www.jsiinc.com
http://www.jsifaq.com

 

[Guest]

In Windows 2000, users have a user principal name (UPN)—e.g.,
(e-mail address removed)—as well as the usual down-level SAM name—e.g., savillj.
If you change your password using the down-level SAM username, the change
works fine, even if the Global Catalog (GC) isn't available. If you change
your password using your UPN and the GC isn't available, you receive the
following error message if the account is in the parent domain:



The user name or old password is incorrect. Letters in passwords must be
typed using the correct case. Make sure the Caps is not accidentally on.


Or, you receive the following error message if the account is in the child
domain:

Unable to change the password on this account due to the following
error:

1359: An internal error occurred
Please consult your system administrator.


To confirm that the GC's absence is the problem, use the following command
to find your logon server:


echo %logonserver%

When you find the logon server, check the directory-service event log for
the following event:

Event 1126 Unable to establish connect with global catalog


To fix this problem, you need is to ensure that the GC is available. You
need the GC to change passwords using your UPN because domains store
information only about their local domain whereas the GC includes information
about objects in the entire forest. Thus, the GC must be available when you
use the UPN, unless you have only one domain.

 

[Ace Fekay [MVP]]

In

I have some users that cant log onto the AD 2003 domain with
(e-mail address removed). They have to use their prewindows2000 login
name and choose the AD domain from the drop down list. I also have a
user that can log onto the AD 2003 domain using their fully qualified
login name but cant change their password (The get a no domain server
available error). BUT they can change their password if they log
into the domain using the pre windows2000 login. This doesnt make
sense at all. These computers have also been added to the AD2003
domain. Anyone got any suggestions?

Thanks

Jerry,

Obviously as Jerold and Santhosh pointed out, it's a GC issue, or lack
thereof.

In addition, if DNS is misconfigured on your clients (a DNS server and a DC
are also DNS clients), the same thing will happen. A client (DC or client
machines), query DNS for the SRV records, which the GC is one of the, and
will ask for the GC record when attempting to log on and for a host of other
actions. This means if your machines (any of them), have an ISP's DNS
address in their IP properties, then your machines maybe asking your ISP,
"Where is my domain?" or "Where is the GC?" It is crucial to ensure all
machines are only using your internal DNS server(s) that host the AD DNS
domain name (or a way to get to it), for proper functionality.

Other issues causing the GC to not be available is a single label name,
which disables DNS registration.

I hope that helps to understand what goes on in the background. If you're
not sure of what the configuration should be, or the single label name
issue, please post an ipconfig /all of one of your DCs and of one of your
clients, and the actual AD DNS domain name, and we can help you with that.



--
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

If this post is viewed at a non-Microsoft community website, and you were to
respond to it through that community's website, I may not see your reply
unless that website posts replies back to the original Microsoft forum.
Therefore, please direct all replies ONLY to the Microsoft public newsgroup
this thread originated in so all can benefit or ensure the web community
posts it back to the original forum.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Microsot Certified Trainer
Infinite Diversities in Infinite Combinations.
=================================