I discussed the lastLogonTimeStamp attribute, new to a Windows Server 2003 domain, and enhanced in Windows Server 2003 Service Pack 1, in tip 7801 and tip 8080.
To minimize domain wide replication for every logon, lastLogonTimeStamp is updated periodically. The default interval is a random number from about 10 to 14 days, controlled by the domain's msDS-LogonTimeSyncInterval attribute, which defaults to 14 days, and a randomizer that prevents excessive replication when the domain functional level is first raised. Actual replication does not occurs until the first successful logon after the randomized msDS-LogonTimeSyncInterval value is reached.
For a more complete explanation of lastLogonTimeStamp replication, see http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/54094485-71f6-4be8-8ebf-faa45bc5db4c.mspx from the Stale Account Detection heading through the Scripting stale account detection heading.
