1

Pretty strange scenario, but maybe it's only strange to me.

I have a Windows 2008 server that is the DC and AD. The domain is "thiscompany.com".

Up until last week, we were hosting our own exchange. On friday, I migrated all of our email to an offsite host. We recreated all accounts on the new host, just transferred the necessaries (emails, calendars, contacts). No funny business, just wanted to get it out of my hair. Obviously, then I just deleted all outlook profiles on the machines and re-ran autodiscover after moving the mx records, etc. The whole shebang. The email works fine.

Here's where it's gets hinky. Ever since then, each user has been logging almost exactly 1 bad password attempt every minute, even while they're already logged in (it's hard to tell, but I think it might be only when they're logged in). Since our login threshold was 10, they were getting locked out of their profiles every time they logged off.

I've checked the event logs on the individual machines and there is no funny business that I can find, although the server does log events for the bad password attempts (I didn't find these manually, I used AD Audit Plus by ManageEngine to monitor them as they come in. The bad logins are definitely coming from their computers and not a cellphone that had the old login or something.

Any ideas on what might be causing this?

Hamberglar
  • 11
  • 1

1 Answers1

1

The key question here is what has happened to the old Exchange server? Running Autodiscover on the clients to point to the new server isn't enough - Autodiscover isn't a one time thing. The client will query Autodiscover frequently and the first thing it will query is the local domain it is a member of. That is probably what is happening here.

The fix will depend on what has happened with the old Exchange server. If it is still alive, then changing the internal Autodiscover record to point to the off site one should be all that is required. If Exchange has been removed then you are looking at some adsiedit work to remove the SCP for Autodiscover from the domain.

Sembee
  • 2,854
  • 1
  • 7
  • 11
  • We have pointed the autodiscover to the offsite exchange server. Otherwise our email would not be working. – Hamberglar Oct 14 '16 at 20:24
  • How EXACTLY did you point Autodiscover traffic to the off site server? As for failing to do stopping email from working, that isn't the case. It is certainly possible to run Exchange with a badly configured Autodiscover. – Sembee Oct 15 '16 at 10:03