What should you use?

Yournetwork contains one Active Directory forest named contoso.com.
The forest contains two child domains and six domain controllers.
The domain controllers are configured as shown in the following table.

Youneed to replicate users who haven’t authenticated against any domain controllers for the last 7
days.
What should you use?

Yournetwork contains one Active Directory forest named contoso.com.
The forest contains two child domains and six domain controllers.
The domain controllers are configured as shown in the following table.

Youneed to replicate users who haven’t authenticated against any domain controllers for the last 7
days.
What should you use?

A.
Set-ADSite

B.
Set-ADReplicationSite

C.
Set-ADDomain

D.
Set-ADReplicationSiteLink

E.
Set-ADGroup

F.
Set-ADForest

G.
Netdom

Explanation:
https://technet.microsoft.com/en-us/library/ee617212.aspx

Show Hint

← Previous question

Next question →

Leave a Reply 7

yqr

C*

* Not 100% sure.

https://technet.microsoft.com/en-ca/library/ee617212.aspx

“LastLogonReplicationInterval

Specifies the time, in days, within which the last logon time of an account must be replicated across all domain controllers in the domain. This parameter sets the LastLogonReplicationInterval property for a domain. The LDAP display name (ldapDisplayName) for this property is msDS-LogonTimeSyncInterval. The last logon replication interval must be at least one day. Setting the last logon replication interval to a low value can significantly increase domain-wide replication.

The following example shows how to set this parameter to 10 days.
-LastLogonReplicationInterval “10” “

Reply

Chris

I think there is some miswording in the question. I suspect it was supposed to read: You need to replicate users who haven’t authenticated against any domain controllers within 7 days.
It should replicate within 14 days with default settings.

In this case, the answer is C.

Get-ADDomain | Set-ADDomain -LastLogonReplicationInterval “7”
or
Set-ADDomain contoso.com -LastLogonReplicationInterval “7”

https://technet.microsoft.com/en-us/library/ee617212.aspx?f=255&MSPPError=-2147217396

Reply

Chris

Even that wording is confusing, I have seen another question for this with better wording, but forget what the wording was.

Something Like: You need to ensure that the Last Logon Time is replicated within 7 days.

Reply

Chris

See below link for how and when the timestamp is updated:
https://blogs.technet.microsoft.com/askds/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works/

Reply

Chris

Additional Note: To get an accurate LastLogon, you would need to query the last DC the user logged onto. Even with setting the LastLogonReplicationInterval to 7 you may get an answer that is out of date by 7 days if your query is on a DC that did not authenticate the user in the last 7 days.

Reply

Chris

Actually, the above comment would be correct for LastLogonTimeStamp.
LastLogon is going to be inaccurate regardless, since it doesn’t update on login unless its already expired.

You can query all DCs in a domain for these values with below commands:
PS C:\> repadmin /showattr * “CN=John Doe,OU=IT,DC=contoso,DC=com” /attrs:lastLogontimeStamp >C:\lastLogontimeStamp.txt

PS C:\> repadmin /showattr * “CN=John Doe,OU=IT,DC=contoso,DC=com” /attrs:lastLogon >C:\lastLogonStamp.txt

Reply

Chris

LOL, actually they are both not precise as they both will not update until current value has expired.

Reply