INFO: Last-Logon-Timestamp (lastLogonTimestamp)
lastLogonTimestamp is a new attribute that is enabled in Windows Server 2003 Forest Functional Level. Unlike lastLogon, it is replicated, however due to its update frequency it can give the incorrect impression that it isn’t replicated like other attributes.
Whenever a domain controller performs a logon, of any type, for a user, inetOrgPerson or computer object, the lastLogon attribute is stamped with the current time and date. This attribute stores the time as a long (64-bit) integer, the actual value represents the number of 100 nanosecond intervals that have elapsed since 00:00:00 01/01/1601. The problem with this attribute is that due to the potential of how often this attribute can change, it isn’t replicated. This makes it a little tricky to retrieve up-to-date information on the last logon time of a security principal, if you want that information…
Windows Server 2003 introduced a new attribute called lastLogonTimestamp. This attribute is replicated, but isn’t updated for every logon event. This might seem a little strange but the reason is pretty simple –replicating the last logon time of every security principal very frequently causes massive amounts of unnecessary, and possibly irrelevant replication.
Every time an authentication occurs, and the lastLogon time is updated, the directory service performs a calculation that is based on the update frequency value (defined via the attribute msDS-LogonTimeSyncInterval) to determine whether or not to update the lastLogonTimestamp attribute. The calculation isn’t as straight-forward as you’d expect. The actual calculation is made up of two steps, the first is a check to see if the update frequency is greater than the swing/ skew value (five days by default). If it is, a temporary (in memory) update frequency value is generated by subtracting a random number between 0 and 5 from the update frequency. This in-memory update frequency is then what is used in the second step of the calculation. The update frequency is compared to the length of time it has been since the lastLogonTimestamp was last updated. If the difference exceeds that of the update frequency, then lastLogonTimestamp is updated with the current date and time just like lastLogon was.
Summarised, the process is like the following pseudo code:
If msDS-LogonTimeSyncInterval > 5 then
[update-frequency] = msDS-LogonTimeSyncInterval – random(0-5)
If [update-frequency] > whenChanged (for lastLogonTimestamp) then
update lastLogonTimestamp (with the current timestamp)
Note. If msDS-LogonTimeSyncInterval is less than 5, the random swing period isn't used. The minimum values for msDS-LogonTimeSyncInterval is one day in AD and zero in ADAM.
Further reading/ credit
Thanks goes to Directory Services MVP Joe Richards of www.joeware.net, author of O’Reilly Active Directory 3rd Edition (http://www.oreilly.com/catalog/actdir3/) for taking the time to translate the DS source code and explaining this process (late one evening, in Las Vegas).
Author: Paul Williams
Last updated: 18-01-2007
Last updated by: Paul Williams