Access Denied: Changing an Account's UPN Suffix

We recently hired a new employee with a common name: John Smith. When I tried to create his account in Active Directory (AD), Windows complained that a user with that name already existed in the forest. Don't usernames need to be unique only at the domain level?

All the domains of an AD forest comprise one namespace in which each user must have a unique user principal name (UPN). However, a UPN includes the user's UPN suffix as well as his or her logon name. For example, when you create an account for john.smith in the us.acme.com domain, the UPN suffix defaults to the tree's root domain: acme.com. To create a unique username for John Smith, you can change the UPN suffix to the name of the actual domain in which you're creating the user account—for example, to us.acme.com—as Figure 1 shows. Alternatively, you can create a new UPN suffix for the user. For an explanation, see the following question, "Creating New UPN Suffixes," Instant Doc ID 37795.