What are some potential reasons why Last Logon Statistics gathering may fail or not be accurate? (NETIQKB73267)

What are some potential reasons why Last Logon Statistics gathering may fail or not be accurate?

Why are Last Logon times not accurate?

Last Logon date/timestamps are not accurate.

Below are some possible reasons my Last Logon times may be inaccurate after collection:

1) Last logon stats are not enabled for the managed domain. Last logon stats are enabled on a per-domain basis. This is done through the Delegation and Configuration Console (D&C) while logged on as a DRA Admin. Ensure that they have been enabled for all the domains you are managing and for which you want the stats gathered for.

2) Last logon stats are not gathered for Trusted domains. Last logon stats are only gathered for users in managed domains. If the domain is Trusted, but not being managed by DRA, no last logon stats will be gathered.

3) Last logon stats are enabled on a per-DRA server basis. This needs to be enabled on each DRA server you want to be able to use and see current last logon stats. If last logon stats are not enabled for each of your managed domains on each DRA server, then only those servers where it is enabled will be able to display or report on last logon stats.

4) The credentials for the DRA Service Account or Override Account have changed. If either of these credentials have changed, the DRA service should be restarted to pick up the change as well as have the Access Account information updated for the managed domain(s) on each DRA server. Without doing this, the credentials needed to obtain the last logon stats from the domain controllers will not have permission to do so.

5) Agents are not deployed or are not being deployed from all DRA servers (pre-DRA 8.6 SP1). Last logon stat gathering is dependant upon the DRA Agent being deployed to all domain controllers in your managed domain. Without this, DRA will have no way to communicate with the domain controllers and request the stats. Furthermore, each DRA server needs to be registered with the DRA Agent on all domain controllers. If the DRA Agent is not turned on for a particular DRA server, that server will be unable to gather last logon stats.

6) The DRA Service Account or Override account needs to have administrative rights to all domain controllers in order to deploy the DRA Agent and request last logon stats. Ensure the Access Account is a member of Domain Admins (pre-DRA 8.6 SP1).

7) The last logon schedule is not consistent for all managed domains or DRA servers. The interval for which last logon stats are gathered should remain consistent across all managed domains and DRA servers. If the intervals are different, then last logon stats may not always be accurate for all user objects being managed.

8) Departmental Support is present. DRA cannot collect last logon stats for partially managed domains through the use of Departmental Support. DRA needs access to the entire sub-tree of OUs for the entire managed domain in order to enable last logon statistic gathering.

 

Formerly known as NETIQKB73267

The last logon attribute within DRA can be populated by either the Value stored within AD (Last Logon Time Stamp) or by the value collected from each local DC (Last Logon). The troubleshooting steps within this document refer to the local DC value. For a detailed explanation of the difference between the two values see -- http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx