Link to home
Create AccountLog in
Avatar of DEFclub
DEFclub

asked on

Disabled user accounts can log into OWA - delayed account sync

When users change their password in OWA (exchange 2003 & ex2010) it takes 15 minutes for the password to sync. Example, when a user account is disabled. The disabled user can log into OWA for up to 15min before exchange syncs with AD.

Any ideas?
Avatar of Amit
Amit
Flag of India image

AD Replication with take its own course of action. Password changes are immediate and handled by PDC.
Is your exchange server the same as your primary domain controller?  Sounds to me like your Exchange CAS server isn't communicating with your other domain controllers.
Avatar of skullnobrains
skullnobrains

i guess your exchange server communicates with a domain controller that is not the one these operations were performed on

possibly it is setup as a backup domain controller and always asks it's own AD first

then it's all about the time it takes to replicate the changes

i do not think exchange caches such stuff but if you are not working with kerberos, it might have a local password cache, or use the OS password cache (yeah that thing exists)
OWA, as with Mobile Devices, relies on IIS for security.  Making a change in AD can take anywhere from minutes to hours to update on the Exchange server. To force the change immediatily you can log on to the Exchange Server and do an IIS restart at the command prompt.

iisreset /restart
means the IIS has an authentication cache ?
is that even feasible when using kerberos ?
is that acceptable when using NTLM (you would have to reuse the same tokens over and over) ?
SOLUTION
Avatar of Steven Carnahan
Steven Carnahan
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
ok, thanks for the information.

i'm not sure restarting IIS would apply in this case though,

because the right to dial-in is just a user property which may easily be cached ;

maybe the active/inactive property is in the same case but that would be less likely because the authentication would still have to be perfromed against a domain controller which should reject it if the account is deactivated ;

passwords should definitely not be cached anywhere but windows is known to have a cache at the OS level so maybe IIS has one as well though it would be unlikely.

@DEFclub, some kind of feedback would be greatly appreciated if you don't mind
Avatar of DEFclub

ASKER

I have no real feedback at this point - There has been no real solution or potiental action suggested to resolve the issue. Solutions are welcome
Have you looked at trying my suggestion in ID: 38028331 above or at least answering the questions posed by others attempting to assist?
Avatar of DEFclub

ASKER

I did restart IIS - not joy. No body else has mentioned anything other than bouncing IIS ?
IIS reset will not do the AD replication. AD replication is different try this out.

Download replmon tool or might be already present in AD server, goto run and type
replmon.msc

Add a server where you change and right click and sync, select all 3 check boxes.

http://technet.microsoft.com/en-us/library/cc775394(v=ws.10).aspx
You need to do this.

Note from Article:
"To synchronize all directory partitions at once, on the Action menu, click Server, and then click Synchronize Each Directory Partition with All Servers."
ASKER CERTIFIED SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Avatar of DEFclub

ASKER

Looks like domain replication issues - thxs