If you are querying AD you may get inaccurate results if you are querying an attribute that is not replicated between all domain controllers. Two common attributes I see people having issues with are lastlogon and whenchanged. The issue here is suppose you query for lastlogon and get a value. That may not be accurate as there may be a newer value on another DC. On a side note for that issue lastlogontimestamp is usually good enough for most folks...but I digress.
Is there a way to find what attributes are not replicated between DCs? The answer to that is yes and there are various methods to find this information. I once again go to the great ADFIND tool from MVP Joe Richards Joe was recently awarded the MVP for the 10th straight year and that is well deserved.
Adfind has a ton of great shortcuts and one of them is to find non-replicated attributes.
adfind -sc norepl cn -nodn
I only outputted the cn of the object and didn't need the distinguished name so left that off with -nodn
You can see part of the output below. Notice the whenchanged attribute that was mentioned earlier.
systemFlags contains a flag that defines if an attribute is replicated. As you can see in the link if the value 1 is applied to an attribute it will not be replicated. So you could also get fancy with adfind and do something like
adfind -schema -bit -f "&(objectclass=attributeschema)(systemflags:AND:=1)" cn -nodnThat should give you the exact same result as the previous command. I'd personally always go with the shortcuts...they are there to make things easier...thanks Joe :)
Posts
