We have got a pretty simplistic configuration for our mail system - a single server providing all Exchange 2010 services, and a TMG 2010 server in our DMZ which provides webmail and activesync functions. We are using split DNS to allow local machines to connect directly to the mail server for activesync and normal mail functions, and push these functions through TMG when accessed from externally. Webmail is passed through the TMG server whether accessed internally or externally. The TMG server is in a workgroup and using LDAP-S to communicate with the domain servers for user authentication.
Our problem is this - I recently enabled the function to allow users to change their password through webmail when it has already expired (mainly due to Mac Users!). However, since then, there are a number of random user lockouts occurring; and they appear to be originating from the TMG server. I have tried using the lockoutstatus app to trace the originating server, then trawling through the logs to find the relevant record - and they all point to the DC on site that the exchange server/TMG server talk to. When i look at the Exchange server, there are multiple "bad username or password" errors being processed from the TMG server, which then results in the account being locked. I can find now reason why this would happen; it doesn't happen to everyone, and i have even gone through the users machines to ensure there are no applications that could be repeatedly pushing bad credentials to the domain causing the lockouts.
the other strange issue I've noticed, is that i can unlock these accounts on the domain, but then i am having to unlock them on the Exchange server as well sometimes before they can log in. whether this is due to domain sync delays I am unsure, but again something which only recently seems to have started!