I've got a tricky situation here. A user at one of our satellite offices recently changed her password because it had expired. While her laptop accepted the new password, Outlook is refusing to work with it, including access to webmail. The setup is a bit complicated since we have a hub and spoke forest with FSMO servers at the main office and dedicated DCs at the satellite locations—all on-prem. One of these satellite offices has a really bad connection, which affects the replication from our FSMO servers. I've already tried a bunch of troubleshooting steps like GPUpdate, forcing replication, running DISM and SFC, checking CHKDSK, restarting the group policy service, and even trying to rebuild her mail profile and reinstall Office. The problem seems linked to replication issues due to poor internet speed. With the satellite office being two hours away, I want to avoid changing her password remotely unless necessary. I'd appreciate any advice on how to resolve this issue!
4 Answers
I've run into this issue before! Sometimes, it's caused by a special character that the local AD server accepts but the online server does not. You might want to force a new password while checking the 'user must change password at next logon' box.
In Active Directory, can you confirm if the password change is reflected there? Also, is it worth trying to see if she can log in to Outlook Web Access with her old password?
It sounds like replication is definitely the culprit here. The new password needs to propagate to the primary DC for it to be recognized by the email server. Have you tried forcing replication between sites? That could help, but I know it might fail if the connection is poor.
I've attempted that, but it fails every time—both upstream and downstream. I'm seriously considering demoting the satellite DC if this keeps up.
What kind of mail setup are you running? Is it fully on-prem Exchange or a hybrid setup?
We have two fully on-prem Exchange 2019 servers in a DAG formation at the main office.
I tried that from the FSMO, but it didn't replicate downstream. I'm hesitant to do it on the satellite DC since I don't want the user to be locked out if the client and the DC are conflicting over passwords.