question

BrainWani-3531 avatar image
0 Votes"
BrainWani-3531 asked DaisyZhou-MSFT commented

Replication like it's 1999: msDS-LogonTimeSyncInterval

OK, I'm a conscientious admin, and we've had Active Directory for nearly 20 years. I remember being really careful to make sure Active Directory replication was optimized, we put DNS in Forest containers, etc. Now however we have DNS on all our domain controllers because client performance is more important than minimizing replication. We turned on change notification so changes replication in 5-15 seconds instead of 15-45 minutes.

So I was writing an email explaining LastLogonTimeStamp today, and thinking about it, I have to question why we care so much any more. The way LLTS works, it gets updated if it's more than 9-14 days newer than the stored value. Let's say users do lots of authentications per day, this will tend to be worst case, replicate once every 9 days. Honestly, if you have more than a few "authentication" events in a day, you're going to replicate LLTS.

The "problem" with LLTS is that it's not that accurate, can be 9-14 days off. We have a audit requirement to disable inactive users after 30 days. I could write something complicated to query all the DCs LastLogon, or just set msDS-LogonTimeSyncInterval to 1. Worst case, this increases the replication traffic for LLTS by a factor of 9. Is that significant? Are our network connections 9 times faster than our 2003 network connections? Are our computers 9 times faster than our 2003 computers? I think we can handle it, and it keeps things simple.

set-adobject "DC=cottage,DC=local" -replace @{"msDS-LogonTimeSyncInterval"=1}

Has anyone done this? Did the world end? Should it be the 2019+ default? (Did I miss something and it already is for new domains?)

windows-active-directory
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @BrainWani-3531,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou

0 Votes 0 ·

Hello @BrainWani-3531,
I just want to confirm the current situations.
Please feel free to let us know if you need further assistance.


Best Regards,
Daisy Zhou

0 Votes 0 ·

1 Answer

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @BrainWani-3531,

Thank you for posting here.

If you have no problems with the AD environment, I suggest you had better not change the value of the attribute "msDS-LogonTimeSyncInterval". We are not sure whether modifying this attribute value will affect the AD environment in the future.


For more information about the attribute of "msDS-LogonTimeSyncInterval", you can refer to the link below.

Understanding the AD Account attributes - LastLogon, LastLogonTimeStamp and LastLogonDate
https://social.technet.microsoft.com/wiki/contents/articles/22461.understanding-the-ad-account-attributes-lastlogon-lastlogontimestamp-and-lastlogondate.aspx


Hope the information above is helpful.

And I hope that experts who have any ideas about this attribute change will actively participate in the discussion of this post.



Best Regards,
Daisy Zhou

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.