Forum Discussion
Exchange 2016 Event 2159 ADAccess Validation Failed
Seems we have the same issue. In our case CS Identity Protection was activated (for monitoring only, as we're still testing) on the last DCs on the same day when those Exchange problems started (mid of June in our case), so the correlation is quite strong. The general assumption, as far as I understand is that somehow the DCs seem to be overwhelmed from that CS agent traffic inspection, so somehow some packets or information get lost.
In any case, our security engineer opened a ticket with CS, and currently we're monitoring our Exchange servers with extended logging for CS support - and we're waiting for it to happen again. It did so two times last week and not at all since Saturday..
Here's a link to that issue on the CS subreddit - maybe that helps for you, too:
https://www.reddit.com/r/crowdstrike/comments/14r3avd/identity_module_inbuilt_into_falcon_ldap_query/?utm_source=share&utm_medium=web2x&context=3
In case anyone stumbles upon this thread and misses the ending.. ;-):
Apparently Crowdstrike somehow has fixed the issue by "automatically identifying the Exchange servers" and not doing for them what they do for/with the other servers. This has already happened some months ago, I just forgot to get back to this thread here. Since then, we had no more issues.
SaschaSeipp So they closed your ticket with CrowdStrike? Is there an CS article about this or the resolution documented on their site?
h1ckmanYes, they published a KB article and sent a Tech Alert out back in July about the issue.
I don't remember which version of the sensor they fixed it in but it has since been fixed and we too have not had the issue again.
https://supportportal.crowdstrike.com/s/article/Identity-Protection-Falcon-Sensor-Authentication-Traffic-Inspection-May-Interfere-with-Microsoft-Exchange-On-Premise
