ojfahoum
asked on
Logon information in Active Directory
Why are logon times different from DC to DC? Isn't last login time an attribute of the user object, and thus replicated to every domain controller?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
For the sake of clarity - As in yes it IS an attribute - but NO it isn't replicated - it's value is held locally on the DC....
deb,, I'll be the first person to admit when im wrong, but i dont think i am here. Although i think i might have left off part of the solution. My link tells him how to set up a time server. Then all of his other computers/DCs need to synch to it. they could us the "command net time /set /y" to do this. I'm not sure what your links even do or do i know why you say. "Actually, no it isn't, not in w2k anyway." My link was straight from MS, how could it be wrong?
Hi Mike
Sorry I posted my response prior to refreshing my browser, so I didn't know you'd posted until I'd submitted.
I think we've just both interpreted the question differently -
I took the question to be referring to the last logon time user attribute showing as being different depending on which dc is being queried, often admins query these to track outdated or unused user accounts - Whilst AD is replicated, there are some attributes that aren't for some reason (MS would know) - the relevant part of my first link (which is msdn) is:
"lastLogon
Non-replicated. The lastLogon attribute specifies when the last logon occurred. This value is stored as a large integer that represents the number of 100-nanosecond intervals since January 1, 1601 (UTC). The high part of this large integer corresponds to the dwHighDateTime member of the FILETIME structure and the low part corresponds to the dwLowDateTime member of the FILETIME structure. This attribute is maintained separately on each domain controller in the domain. A value of zero means that the last logon time is unknown. To get an accurate value for the user's last logon in the domain, each domain controller in the domain must be queried and the largest value should be used." - <-- My second link is to a script which does just that - automatically queries dc's for the latest value.
From your posting you're referrring to time differentials between the dc's that would cause time differences, and if that is the issue, then yes you're right with the correct ms article for time syncing. We've just taken two different views of the question and posted at about the same time, but we are both right I think about what we've said.
Deb :))
Sorry I posted my response prior to refreshing my browser, so I didn't know you'd posted until I'd submitted.
I think we've just both interpreted the question differently -
I took the question to be referring to the last logon time user attribute showing as being different depending on which dc is being queried, often admins query these to track outdated or unused user accounts - Whilst AD is replicated, there are some attributes that aren't for some reason (MS would know) - the relevant part of my first link (which is msdn) is:
"lastLogon
Non-replicated. The lastLogon attribute specifies when the last logon occurred. This value is stored as a large integer that represents the number of 100-nanosecond intervals since January 1, 1601 (UTC). The high part of this large integer corresponds to the dwHighDateTime member of the FILETIME structure and the low part corresponds to the dwLowDateTime member of the FILETIME structure. This attribute is maintained separately on each domain controller in the domain. A value of zero means that the last logon time is unknown. To get an accurate value for the user's last logon in the domain, each domain controller in the domain must be queried and the largest value should be used." - <-- My second link is to a script which does just that - automatically queries dc's for the latest value.
From your posting you're referrring to time differentials between the dc's that would cause time differences, and if that is the issue, then yes you're right with the correct ms article for time syncing. We've just taken two different views of the question and posted at about the same time, but we are both right I think about what we've said.
Deb :))
ASKER
I guess my question was a little vague. Thank you all for your responses. Deb actually answered my question. The link to the MSDN stuff was exactly what I needed. I was trying to figure out what was replicated and what was not across DCs in terms of users and logins.
Again thank you all for the responses.
Again thank you all for the responses.
Thanks ojfahoum - Glad I helped!
Mike - What you said WAS right - the question could have been taken two ways... You've aced me before now right?
w2kmcp - Don't you feel a right donkey? LOL
Mike - What you said WAS right - the question could have been taken two ways... You've aced me before now right?
w2kmcp - Don't you feel a right donkey? LOL
http://support.microsoft.com/default.aspx?scid=216734