OK, I'm a conscientious admin, and we've had Active Directory for nearly 20 years. I remember being really careful to make sure Active Directory replication was optimized, we put DNS in Forest containers, etc. Now however we have DNS on all our domain controllers because client performance is more important than minimizing replication. We turned on change notification so changes replication in 5-15 seconds instead of 15-45 minutes.
So I was writing an email explaining LastLogonTimeStamp today, and thinking about it, I have to question why we care so much any more. The way LLTS works, it gets updated if it's more than 9-14 days newer than the stored value. Let's say users do lots of authentications per day, this will tend to be worst case, replicate once every 9 days. Honestly, if you have more than a few "authentication" events in a day, you're going to replicate LLTS.
The "problem" with LLTS is that it's not that accurate, can be 9-14 days off. We have a audit requirement to disable inactive users after 30 days. I could write something complicated to query all the DCs LastLogon, or just set msDS-LogonTimeSyncInterval to 1. Worst case, this increases the replication traffic for LLTS by a factor of 9. Is that significant? Are our network connections 9 times faster than our 2003 network connections? Are our computers 9 times faster than our 2003 computers? I think we can handle it, and it keeps things simple.
set-adobject "DC=cottage,DC=local" -replace @{"msDS-LogonTimeSyncInterval"=1}
Has anyone done this? Did the world end? Should it be the 2019+ default? (Did I miss something and it already is for new domains?)