Yournetwork contains one Active Directory forest named contoso.com.
The forest contains two child domains and six domain controllers.
The domain controllers are configured as shown in the following table.
Youneed to replicate users who haven’t authenticated against any domain controllers for the last 7
days.
What should you use?
A.
Set-ADSite
B.
Set-ADReplicationSite
C.
Set-ADDomain
D.
Set-ADReplicationSiteLink
E.
Set-ADGroup
F.
Set-ADForest
G.
Netdom
Explanation:
https://technet.microsoft.com/en-us/library/ee617212.aspx
C*
* Not 100% sure.
https://technet.microsoft.com/en-ca/library/ee617212.aspx
“LastLogonReplicationInterval
Specifies the time, in days, within which the last logon time of an account must be replicated across all domain controllers in the domain. This parameter sets the LastLogonReplicationInterval property for a domain. The LDAP display name (ldapDisplayName) for this property is msDS-LogonTimeSyncInterval. The last logon replication interval must be at least one day. Setting the last logon replication interval to a low value can significantly increase domain-wide replication.
The following example shows how to set this parameter to 10 days.
-LastLogonReplicationInterval “10” “
0
0
I think there is some miswording in the question. I suspect it was supposed to read: You need to replicate users who haven’t authenticated against any domain controllers within 7 days.
It should replicate within 14 days with default settings.
In this case, the answer is C.
Get-ADDomain | Set-ADDomain -LastLogonReplicationInterval “7”
or
Set-ADDomain contoso.com -LastLogonReplicationInterval “7”
https://technet.microsoft.com/en-us/library/ee617212.aspx?f=255&MSPPError=-2147217396
0
0
Even that wording is confusing, I have seen another question for this with better wording, but forget what the wording was.
Something Like: You need to ensure that the Last Logon Time is replicated within 7 days.
0
0
See below link for how and when the timestamp is updated:
https://blogs.technet.microsoft.com/askds/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works/
0
0
Additional Note: To get an accurate LastLogon, you would need to query the last DC the user logged onto. Even with setting the LastLogonReplicationInterval to 7 you may get an answer that is out of date by 7 days if your query is on a DC that did not authenticate the user in the last 7 days.
0
0
Actually, the above comment would be correct for LastLogonTimeStamp.
LastLogon is going to be inaccurate regardless, since it doesn’t update on login unless its already expired.
You can query all DCs in a domain for these values with below commands:
PS C:\> repadmin /showattr * “CN=John Doe,OU=IT,DC=contoso,DC=com” /attrs:lastLogontimeStamp >C:\lastLogontimeStamp.txt
PS C:\> repadmin /showattr * “CN=John Doe,OU=IT,DC=contoso,DC=com” /attrs:lastLogon >C:\lastLogonStamp.txt
0
0
LOL, actually they are both not precise as they both will not update until current value has expired.
0
0