DEFclub
asked on
Disabled user accounts can log into OWA - delayed account sync
When users change their password in OWA (exchange 2003 & ex2010) it takes 15 minutes for the password to sync. Example, when a user account is disabled. The disabled user can log into OWA for up to 15min before exchange syncs with AD.
Any ideas?
Any ideas?
AD Replication with take its own course of action. Password changes are immediate and handled by PDC.
Is your exchange server the same as your primary domain controller? Sounds to me like your Exchange CAS server isn't communicating with your other domain controllers.
i guess your exchange server communicates with a domain controller that is not the one these operations were performed on
possibly it is setup as a backup domain controller and always asks it's own AD first
then it's all about the time it takes to replicate the changes
i do not think exchange caches such stuff but if you are not working with kerberos, it might have a local password cache, or use the OS password cache (yeah that thing exists)
possibly it is setup as a backup domain controller and always asks it's own AD first
then it's all about the time it takes to replicate the changes
i do not think exchange caches such stuff but if you are not working with kerberos, it might have a local password cache, or use the OS password cache (yeah that thing exists)
OWA, as with Mobile Devices, relies on IIS for security. Making a change in AD can take anywhere from minutes to hours to update on the Exchange server. To force the change immediatily you can log on to the Exchange Server and do an IIS restart at the command prompt.
iisreset /restart
iisreset /restart
means the IIS has an authentication cache ?
is that even feasible when using kerberos ?
is that acceptable when using NTLM (you would have to reuse the same tokens over and over) ?
is that even feasible when using kerberos ?
is that acceptable when using NTLM (you would have to reuse the same tokens over and over) ?
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ok, thanks for the information.
i'm not sure restarting IIS would apply in this case though,
because the right to dial-in is just a user property which may easily be cached ;
maybe the active/inactive property is in the same case but that would be less likely because the authentication would still have to be perfromed against a domain controller which should reject it if the account is deactivated ;
passwords should definitely not be cached anywhere but windows is known to have a cache at the OS level so maybe IIS has one as well though it would be unlikely.
@DEFclub, some kind of feedback would be greatly appreciated if you don't mind
i'm not sure restarting IIS would apply in this case though,
because the right to dial-in is just a user property which may easily be cached ;
maybe the active/inactive property is in the same case but that would be less likely because the authentication would still have to be perfromed against a domain controller which should reject it if the account is deactivated ;
passwords should definitely not be cached anywhere but windows is known to have a cache at the OS level so maybe IIS has one as well though it would be unlikely.
@DEFclub, some kind of feedback would be greatly appreciated if you don't mind
ASKER
I have no real feedback at this point - There has been no real solution or potiental action suggested to resolve the issue. Solutions are welcome
Have you looked at trying my suggestion in ID: 38028331 above or at least answering the questions posed by others attempting to assist?
ASKER
I did restart IIS - not joy. No body else has mentioned anything other than bouncing IIS ?
IIS reset will not do the AD replication. AD replication is different try this out.
Download replmon tool or might be already present in AD server, goto run and type
replmon.msc
Add a server where you change and right click and sync, select all 3 check boxes.
http://technet.microsoft.com/en-us/library/cc775394(v=ws.10).aspx
Download replmon tool or might be already present in AD server, goto run and type
replmon.msc
Add a server where you change and right click and sync, select all 3 check boxes.
http://technet.microsoft.com/en-us/library/cc775394(v=ws.10).aspx
You need to do this.
Note from Article:
"To synchronize all directory partitions at once, on the Action menu, click Server, and then click Synchronize Each Directory Partition with All Servers."
Note from Article:
"To synchronize all directory partitions at once, on the Action menu, click Server, and then click Synchronize Each Directory Partition with All Servers."
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Looks like domain replication issues - thxs