I recently changed my domain admin password. I went in to the services of each of my servers and sorted by log on and wherever it had my domain admin, I changed the password. However, it seems that there is still something using the old password because there are events every minute that the admin password is bad. I was able to see with the events the IP it was coming from was the Exchange Server. I ran Wireshark and was able to see the trace where it shows me the old password being used with LDAP protocol. The problem is that there is no more information and I can't seem to find any service or program running on the Exchange server out of the ordinary using Ldap.
Would anyone have any ideas how I can trace this. Your help would be greatly appreciated.