This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hi, So I may be asking a bonehead question: However, Does on-prem Exchange server 2013 or 2016 cache/store AD credentials when it attempts to authenticate back to AD? Thanks
No, the users authenticate directly with AD, so no caching on the Exchange Server.
Of course, users themselves can cache credentials on their devices.
What Exchange caches is the Forest DC Topology with the DSAccess Service
https://learn.microsoft.com/en-us/exchange/troubleshoot/administration/msexchangedsaccess-event-id-2080
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 0%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EO%3C/text%3E%3C/svg%3E)
Where else could lockouts be coming from if the user only has one device and the lockout happen outside hours as well ?
I have checked activesync and the user does not have any other device.
After all else has failed, we considered that this may be authentication attempts from the internet. Possibly brute force attack that was left to keep authenticating.
We checked the firewall, checked the malicious IP address authentication via smtp, and also checked the times that user accounts were being locked.
There was a pattern.
Regional IPs were blocked and that solved the problem.
Awesome, thanks for that answer - that's what suspected but wasn't sure, if for some crazy reason they would be stored there besides the users client apps.
I posted because I've been dealing with crazy account lockout issues (Exchange 2013 CU-22) as in an account being locked every 3 minutes - currently pouring through posts on locating the lockout causes when all it shows is the Exchange servers in Event 4740.
I thought maybe a corrupted mailbox or something might be causing the lockouts, but I'm not an Exchange expert by any means so that may be completely ignorant.
Anyhow, It's easy when the Event 4740 points to the device, but almost impossible when the Event is only showing the lockouts coming from the 2 Exchange servers, to which I used ExMon on the Exchange servers to capture user connections.
ExMon showed me a PC, but I cleared that PC of the user's Exchange account, then ExMon only showed connections coming from "Client=MSExchangeRPC" and "none" for the Client IP address.
So now I've found some more tools I can use to possibly see more into what is causing these lockouts.
And I'm going run some health checks.
If anyone has additional input, it is appreciated!