whenChanged and modifyTimeStamp – Active Directory

Description

In this article, I am going to explain about the Active Directory attributes whenChanged and modifyTimeStamp and how these attributes are updated in all Domain Controllers despite being a Non-Replicable attribute.

Summary

  • WhenChanged is a date time attribute which holds an AD object’s latest changed time and it is Non-Replicable attribute. 
  • ModifyTimeStamp is a computed attribute and it is also Non-Replicable attribute. 
  • Both are Non-Replicable attributes but that doesn’t mean every domain controller holds very different value like lastLogon attrbute. Yes, both are non-replicable attributes but it will be updated in all DCs for every AD change.

How whenChanged attribute value get updated in all DCs?

Before explain this, I would like to explain what is Active Directory Replication?. In Active Directory, objects are distributed among all domain controllers in a forest, and all domain controllers can be updated directly. Active Directory replication is the process by which the changes that originate on one domain controller are automatically transferred to other domain controllers that store the same data.

So, AD replication ensures same data in all DCs by transferring every change automatically to other DC,

Consider this scenario:

If you change the value for description attribute of any object as “test”, it will be updated in all other DC but here you have not changed either whenChanged or modifyTimeStamp then how it gets updated in your own DC?.
You know whenChanged is system attribute and it will be automatically updated for every change. So the description attribute change indirectly force the whenChanged attribute to set latest time. Like this, the replication change on every DC will automatically force the whenChanged attribute to set the particular DC‘s latest time. So, the value of  whenChanged attribute may or may not be identical in all DCs depends upon the replication interval.

For more clarity, consider this scenario:

DC1–  AD Domain Controller 1
DC2–  AD Domain Controller 2
U1–     an AD user

Replication Interval: 15 secs

If you change the user U1’s description value in DC1 at 10:10:00 AM, the whenChanged attribute gets updated as 10:10:00 AM in DC1. Since the replication interval is 15 secs, the description value will be replicated into DC2 at 10:10:15 AM and it automatically updates the whenChanged attribute as 10:10:15 AM in DC2. So depends upon the replication interval the value of whenChanged attribute may or may not be identical in all domain controllers but it holds the updated value.

Advertisement

7 thoughts on “whenChanged and modifyTimeStamp – Active Directory”

    • It will not change when you do this change in group object under members tab, and hope you will see the same behavior when you change from user object but I am not sure.

      Reply
    • Thank you. I was more thinking in the direction that whether this attribute can reliably be used to incrementally sync directory by only fetching such changed users rather than crawling over all of them. Sounds like it cannot be relied on.

      Reply

Leave a Comment