Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Issues with domain account lockouts

Posted on 2013-10-28
2
Medium Priority
?
832 Views
Last Modified: 2013-11-28
We have got a pretty simplistic configuration for our mail system - a single server providing all Exchange 2010 services, and a TMG 2010 server in our DMZ which provides webmail and activesync functions.  We are using split DNS to allow local machines to connect directly to the mail server for activesync and normal mail functions, and push these functions through TMG when accessed from externally.  Webmail is passed through the TMG server whether accessed internally or externally.  The TMG server is in a workgroup and using LDAP-S to communicate with the domain servers for user authentication.

Our problem is this - I recently enabled the function to allow users to change their password through webmail when it has already expired (mainly due to Mac Users!).  However, since then, there are a number of random user lockouts occurring; and they appear to be originating from the TMG server.  I have tried using the lockoutstatus app to trace the originating server, then trawling through the logs to find the relevant record - and they all point to the DC on site that the exchange server/TMG server talk to.  When i look at the Exchange server, there are multiple "bad username or password" errors being processed from the TMG server, which then results in the account being locked.  I can find now reason why this would happen; it doesn't happen to everyone, and i have even gone through the users machines to ensure there are no applications that could be repeatedly pushing bad credentials to the domain causing the lockouts.

the other strange issue I've noticed, is that i can unlock these accounts on the domain, but then i am having to unlock them on the Exchange server as well sometimes before they can log in.  whether this is due to domain sync delays I am unsure, but again something which only recently seems to have started!
0
Comment
Question by:Amaze_IT
2 Comments
 
LVL 44

Accepted Solution

by:
Amit earned 1800 total points
ID: 39605584
Run repadmin /replsum and check for any error. Also run dcdiag /v and check for errors.

You also need to check if any dc went to journal wrap state.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39605776
Do you have multiple AD sites in your environment? If you are connecting to a DC in another site (mistakenly) an account unlock will not happen immediately. Inter Site replication replicates every 15 minutes (fastest time interval). So it will take up to 15 minutes for the changes to take affect. The only thing that is nearly instant is password changes which contact the PDC directly and does not use the default replication interval.

I would recommend using a product called ADAudit Plus as it will give you exact source as to where it is coming from and what it is locking the accounts out.

ADAudit Plus - http://www.manageengine.com/products/active-directory-audit/

Will.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If something goes wrong with Exchange, your IT resources are in trouble.All Exchange server migration processes are not designed to be identical and though migrating email from on-premises Exchange mailbox to Cloud’s Office 365 is relatively simple…
Steps to fix error: “Couldn’t mount the database that you specified. Specified database: HU-DB; Error code: An Active Manager operation fail”
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
Suggested Courses

972 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question