lastLogonTimeStamp vs lastLogon
lastLogonTimeStamp compared to lastLogon
This attribute is only updated on the domain controller against which the user has authenticated. The attribute is not replicated with other DCs or stored in the GC. For computers, the value is updated only when a computer authenticates against the domain, such as after booting or after the access token has been updated.
This attribute is replicated between all domain controllers in the forest but is not stored in the GC. Responsible for synchronizing this specification is msDS-LogonTimeSyncInterval.
The default replication begins after 14 days, with a random value of minus 0-5 days determining the actual time of replication. This results in a replication window between 9-14 days.
This construct is intended to protect (optimize) the network bandwidth from innumerable and unnecessary replications.
If a user has never logged on to the domain in any way, the value of the attribute remains NULL (never / never).
If the user has logged on for the first time, the value of the lastLogon attribute is immediately passed to lastLogonTimeStamp and replicated to all other DCs. Subsequent logins will only update the lastLogon attribute. This is very clear on the right picture.
From now on, the value of the attribute lastLogonTimeStamp will follow the above principle and will be replicated after 14 days at the latest.