There was a posting in the public newsgroups the other day concerning using whenChanged and/or modifyTimeStamp for tracking changes for an object so I thought I would say a few words about it…
Before I say anything though, lets look at the schema definitions:
F:\>adfind -sc s:whenchanged
AdFind V01.32.00cpp Joe Richards (joe@joeware.net) October 2006
Using server: 2k3dc02.joe.com:389
Directory: Windows Server 2003
Base DN: CN=Schema,CN=Configuration,DC=joe,DC=comdn:CN=When-Changed,CN=Schema,CN=Configuration,DC=joe,DC=com
>objectClass: top
>objectClass: attributeSchema
>cn: When-Changed
>distinguishedName: CN=When-Changed,CN=Schema,CN=Configuration,DC=joe,DC=com
>instanceType: 4 [WRITABLE(4)]
>whenCreated: 20021023015022.0Z
>whenChanged: 20050514161047.0Z
>uSNCreated: 5126
>attributeID: 1.2.840.113556.1.2.3
>attributeSyntax: 2.5.5.11 [STRING (UTC/GENERALIZED TIME)]
>isSingleValued: TRUE
>mAPIID: 12296
>uSNChanged: 5126
>showInAdvancedViewOnly: TRUE
>adminDisplayName: When-Changed
>adminDescription: When-Changed
>oMSyntax: 24
>searchFlags: 0 []
>lDAPDisplayName: whenChanged
>name: When-Changed
>objectGUID: {DDB22CED-BB5E-470F-A21C-0DA0853FF397}
>schemaIDGUID: {BF967A77-0DE6-11D0-A285-00AA003049E2}
>systemOnly: TRUE
>systemFlags: 19 [NOT REPLICATED(1);PAS-ATTR(2);CAT-1(16)]
>isMemberOfPartialAttributeSet: TRUE
>objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=joe,DC=com
>dSCorePropagationData: 20050909162804.0Z
>dSCorePropagationData: 20050909162631.0Z
>dSCorePropagationData: 16010101000417.0Z1 Objects returned
F:\>adfind -sc s:modifyTimeStamp
AdFind V01.32.00cpp Joe Richards (joe@joeware.net) October 2006
Using server: 2k3dc02.joe.com:389
Directory: Windows Server 2003
Base DN: CN=Schema,CN=Configuration,DC=joe,DC=comdn:CN=Modify-Time-Stamp,CN=Schema,CN=Configuration,DC=joe,DC=com
>objectClass: top
>objectClass: attributeSchema
>cn: Modify-Time-Stamp
>distinguishedName: CN=Modify-Time-Stamp,CN=Schema,CN=Configuration,DC=joe,DC=com
>instanceType: 4 [WRITABLE(4)]
>whenCreated: 20021023015016.0Z
>whenChanged: 20050514161045.0Z
>uSNCreated: 4498
>attributeID: 2.5.18.2
>attributeSyntax: 2.5.5.11 [STRING (UTC/GENERALIZED TIME)]
>isSingleValued: TRUE
>uSNChanged: 4498
>showInAdvancedViewOnly: TRUE
>adminDisplayName: Modify-Time-Stamp
>adminDescription: Modify-Time-Stamp
>oMSyntax: 24
>searchFlags: 0 []
>lDAPDisplayName: modifyTimeStamp
>name: Modify-Time-Stamp
>objectGUID: {5BC24C7E-958E-429C-AC3F-41EEEFE39B76}
>schemaIDGUID: {9A7AD94A-CA53-11D1-BBD0-0080C76670C0}
>systemOnly: TRUE
>systemFlags: 134217748 [CONSTRUCTED(4);CAT-1(16);NO-RENAME(134217728)]
>objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=joe,DC=com
>dSCorePropagationData: 20050909162804.0Z
>dSCorePropagationData: 20050909162630.0Z
>dSCorePropagationData: 16010101000417.0Z1 Objects returned
The things to notice about the schema definitions:
- whenChanged is marked as not-replicated
- modifyTimeStamp is marked as constructed (effectively an alias for whenChanged)
This means neither attribute is replicated. This is a critical thing to keep in mind if you are tracking changes with this attribute, it means that you can only track changes for objects in this manner against the SAME DC. Objects on different DCs can and usually will (if in different sites) have very different values for these attributes even if only one change has been made on the object recently.
Something that REALLY seems to surprise people is that even promoting a new DC will result in this value being different on a DC. As an example, check out the wide range of values for the whenChanged attribute for the actual whenChanged schema definition, this is entirely due to different DCPromo times of the DCs:
F:\>adfind -sc s:whenchanged whenChanged -h 2k3dc02 -tdcgt
AdFind V01.32.00cpp Joe Richards (joe@joeware.net) October 2006
Using server: 2k3dc02.joe.com:389
Directory: Windows Server 2003
Base DN: CN=Schema,CN=Configuration,DC=joe,DC=comdn:CN=When-Changed,CN=Schema,CN=Configuration,DC=joe,DC=com
>whenChanged: 05/14/2005-12:10:47 Eastern Daylight Time1 Objects returned
F:\>adfind -sc s:whenchanged whenChanged -h 2k3dc10 -tdcgt
AdFind V01.32.00cpp Joe Richards (joe@joeware.net) October 2006
Using server: 2k3dc10.child1.joe.com:389
Directory: Windows Server 2003
Base DN: CN=Schema,CN=Configuration,DC=joe,DC=comdn:CN=When-Changed,CN=Schema,CN=Configuration,DC=joe,DC=com
>whenChanged: 07/04/2004-18:26:19 Eastern Daylight Time1 Objects returned
F:\>adfind -sc s:whenchanged whenChanged -h 2k3dc11 -tdcgt
AdFind V01.32.00cpp Joe Richards (joe@joeware.net) October 2006
Using server: 2k3dc11.joe.com:389
Directory: Windows Server 2003
Base DN: CN=Schema,CN=Configuration,DC=joe,DC=comdn:CN=When-Changed,CN=Schema,CN=Configuration,DC=joe,DC=com
>whenChanged: 05/26/2006-19:05:48 Eastern Daylight Time1 Objects returned
I have used that understanding of this attribute in the past to “magically” tell companies when all of their DCs were promoted when they weren’t really sure themselves or help discover replication latency issues when none allegedly existed. It is especially useful when you walk into a shop (or more likely a shop that has a “loud” admin or two) that thinks and guarantees you that it isn’t possible to get any “real” info about Domain Controllers without being a Domain Admin and this (and much more) is easily available as any normal user. Shhh, don’t tell anyone….
joe
Joe,
I work for a company that have more than 100 sites and every DC in those sites are Global Catalogs. I used ADfind and confirmed the output you mentioned (systemFlags: 19 [NOT REPLICATED(1);) for the whenChanged attribute. When I checked the “whenChanged’ attribute using the Schema mmc snap-in, it is marked to replicate to all Global Catalogs. I have checked like 15 different user accounts in DCs from different sites, and they all have almost the same time (some varies by seconds; others by minutes). Why the difference in time?
The global catalog property of the attribute is called isMemberOfPartialAttributeSet. So when you see that set, think of it that way versus as what is replicated. In most cases, they are one and the same, but in the case of whenChanged as well as member (of groups) they are marked as included in the PAS but are not replicated to GCs. Whatever happens to be in the local DSA for that attribute for that object is what will be returned. That is why if you query a GC that is a DC of Domain2 for a user of Domain1 and the user is in Domain2\DLG1 (Domain Local Group) you will see that group in the memberof attribute but if you query a GC that is a DC of Domain1 you will not see that group.
The different times could be related to replication latency or other local changes.