Replication like it's 1999: msDS-LogonTimeSyncInterval

Brain Wani 1 Reputation point
2021-04-09T21:05:43.367+00:00

OK, I'm a conscientious admin, and we've had Active Directory for nearly 20 years. I remember being really careful to make sure Active Directory replication was optimized, we put DNS in Forest containers, etc. Now however we have DNS on all our domain controllers because client performance is more important than minimizing replication. We turned on change notification so changes replication in 5-15 seconds instead of 15-45 minutes.

So I was writing an email explaining LastLogonTimeStamp today, and thinking about it, I have to question why we care so much any more. The way LLTS works, it gets updated if it's more than 9-14 days newer than the stored value. Let's say users do lots of authentications per day, this will tend to be worst case, replicate once every 9 days. Honestly, if you have more than a few "authentication" events in a day, you're going to replicate LLTS.

The "problem" with LLTS is that it's not that accurate, can be 9-14 days off. We have a audit requirement to disable inactive users after 30 days. I could write something complicated to query all the DCs LastLogon, or just set msDS-LogonTimeSyncInterval to 1. Worst case, this increases the replication traffic for LLTS by a factor of 9. Is that significant? Are our network connections 9 times faster than our 2003 network connections? Are our computers 9 times faster than our 2003 computers? I think we can handle it, and it keeps things simple.

set-adobject "DC=cottage,DC=local" -replace @{"msDS-LogonTimeSyncInterval"=1}

Has anyone done this? Did the world end? Should it be the 2019+ default? (Did I miss something and it already is for new domains?)

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
3,633 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Daisy Zhou 12,921 Reputation points Microsoft Employee
    2021-04-12T05:59:43.76+00:00

    Hello @Brain Wani ,

    Thank you for posting here.

    If you have no problems with the AD environment, I suggest you had better not change the value of the attribute "msDS-LogonTimeSyncInterval". We are not sure whether modifying this attribute value will affect the AD environment in the future.

    For more information about the attribute of "msDS-LogonTimeSyncInterval", you can refer to the link below.

    Understanding the AD Account attributes - LastLogon, LastLogonTimeStamp and LastLogonDate
    https://social.technet.microsoft.com/wiki/contents/articles/22461.understanding-the-ad-account-attributes-lastlogon-lastlogontimestamp-and-lastlogondate.aspx

    Hope the information above is helpful.

    And I hope that experts who have any ideas about this attribute change will actively participate in the discussion of this post.

    Best Regards,
    Daisy Zhou

    No comments