Forum Discussion
Exchange 2016 Event 2159 ADAccess Validation Failed
We intermittently see event id 2159 generated on our Exchange 2016 Server (CU23 Jan23SU). They seem to have appeared sometime in the past month. We tend to see about 50-150 events per day. We've e...
- We have had identity enabled on the DCs since we did a POC last October. Not really much to configure specific to identity except to allow it to monitor DC traffic or turn it off altogether. To have it actively block or do anything other than monitor you have to create rules which we have not done anything with yet.
- jlando This is whats made it so difficult to diagnose as March security patch came out just as our security team rolled out CS Identity Protection. @DrSchutt comment very helpful as our security team did not want to remove CS altogether and only put in exceptions.
We're still working with Microsoft over here.- We are experiencing the same exact issues. We are also running CS with the ITP module running the intergrated DC sensor.
Has anyone heard back from CS support or Microsoft on the root cause? I've since opened a support ticket with CS but still waiting on an anyalisys from them.swguy89
We are in like round 10 of log collecting for Microsoft, however they did respond back that they think its related to to the IDP module installed on the Crowdstrike DCs. We will be going back to our security department for testing removal of agent or allow listing Exchange traffic from monitoring.We had not prompted MS about suspicions of the CS IDP on the DCs. They have come up with this through "other cases" so hopefully a solution for us all.
- Yes i am using CS identity protection
