danny8280
asked on
Migrated to hosted Exchange server and locking out accounts on AD now
I recently migrated to a hosted Exchange server on Rackspace. Since that time, my domain accounts have consistently been locking themselves out. Anybody that was created after the migration that did not have an account on the previous on-site Exchange server does not get locked out. When the users that do get locked out do not have Outlook running, they don't get locked out. How do I keep the accounts from Outlook from trying to send credentials to AD considering the accounts have the same user@domain.com as the onsite Exchange? It seems that Outlook is sending credentials out for logging in to the Rackspace Exchange server but AD is picking them up and obviously getting an incorrect password.
pwindell
Delete the Outlook Profile and recreate it. Do not simply "re-point" the existing profile to the new off-site Exchange.
ASKER
I tried that, along with the uninstallation and reinstallation of Outlook clients, and it continues to get locked out. I took over this shop recently as it was being migrated. I will also try removing old Exchange from the AD domain here to see if that reduces the problem.
The old Exchange should have been eliminated right from the start. But I doubt it is the problem. Most likely it is something in the way you are config'ing Outlook. The Exchange Hosting company is really the "first stop" for troubleshooting this stuff. They are the ones you have to authenticate against (not your internal AD),..and no matter what your problem is,...it is not likely to be the first time they have seen it happen.
ASKER
This migration was done literally as I was walking through the door first day in a new shop. I have a lot of discovery to do. I'm setting up Outlook as they instruct to be done, but issue remains. I did notice that once I change someone's email password and match it to their domain password, their account lockout stops. It seems like Outlook is trying to authenticate to the domain at some point even though the old account profile was removed and then the new one put in. I have yet to find anywhere that Outlook caches credentials to remove any old cache.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I also do not use account lockouts,... I don't "believe" in them,...they are just a DoS attack waiting to happen and MS even now discourages enabling lockouts as a best practice, and have for several years. Just imagine the disaster I could cause on your system by intentionally sending the wrong password against all your accounts,...including Service Accounts,...which is pretty easy considering I don't know the real password to begin with. If I lock out enough of your account,...or worse system accounts,...I could really leave you crippled.
Disabling Account Lockouts,... beside being just a plain good idea,...would completely eliminate the original problem.
Disabling Account Lockouts,... beside being just a plain good idea,...would completely eliminate the original problem.
ASKER
The authentication is definitely being passed on to my domain by Outlook. When I made the passwords "match" on some users, those users ceased to lockout continuously. I agree with the offsite hosted Exchange, but in the case of a small location such as this one, its beginning to grow on me. I would love to remove the lockout feature as well, but those wonderful auditors would beg to disagree with us.
Thanks for pointing me in the right direction. Once I'm able to offload the old onsite exchange I should see this go away completely. For now I will have to band-aid the situation by making the passwords match.
Thanks for pointing me in the right direction. Once I'm able to offload the old onsite exchange I should see this go away completely. For now I will have to band-aid the situation by making the passwords match.
I have dealt with Auditors in a few situations. Auditors are not dictators and they do not run the network or make the final decisions (although they try to make you think they do). You are free to disagree with them if their recommendations are "bad". I have never ever done a system exactly the way the auditors wanted it. Auditors are not always right, their desires are not always the best way to do it, their "cookie-cutter" mentality to network design and config do not fit every situation,...and sometimes they are just plain wrong,...and I have never been afraid to tell them exactly that given the opportunity.
There is no actual answer in this thread, but I have the same problem here and would like a solution if possible.
Same issue here. Migrated to hosted exchange. The AD domain is the same as the external .com. Users getting locked out of AD